From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752237AbbETAgn (ORCPT ); Tue, 19 May 2015 20:36:43 -0400 Received: from mail.kernel.org ([198.145.29.136]:50192 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752165AbbETAgk (ORCPT ); Tue, 19 May 2015 20:36:40 -0400 Message-ID: <555BD715.40202@kernel.org> Date: Tue, 19 May 2015 17:36:37 -0700 From: Andy Lutomirski User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: David Howells , rusty@rustcorp.com.au CC: mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, mcgrof@suse.com, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, dwmw2@infradead.org Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> In-Reply-To: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I'm not sure I want to get involved here, but... On 05/15/2015 05:35 AM, David Howells wrote: > > Hi Rusty, > > Here's a set of patches that does the following: > > (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension. > We already extract the bit that can match the subjectKeyIdentifier (SKID) > of the parent X.509 cert, but we currently ignore the bits that can match > the issuer and serialNumber. > > Looks up an X.509 cert by issuer and serialNumber if those are provided in > the AKID. If the keyIdentifier is also provided, checks that the > subjectKeyIdentifier of the cert found matches that also. > > If no issuer and serialNumber are provided in the AKID, looks up an X.509 > cert by SKID using the AKID keyIdentifier. > > This allows module signing to be done with certificates that don't have an > SKID by which they can be looked up. I think this is way more complicated than it has to be. Can't we look up certificates by their subjectPublicKeyInfo? Every public key has a subjectPublicKeyInfo, and even key types that aren't X.509 at all have something equivalent to that. > > (2) Makes use of the PKCS#7 facility to provide module signatures. > > sign-file is replaced with a program that generates a PKCS#7 message that > has no X.509 certs embedded and that has detached data (the module > content) and adds it onto the message with magic string and descriptor. Why is PKCS#7 better than whatever we're using now? > > (3) The PKCS#7 message (and matching X.509 cert) supply all the information > that is needed to select the X.509 cert to be used to verify the signature > by standard means (including selection of digest algorithm and public key > algorithm). No kernel-specific magic values are required. I would take kernel-specific over PKCS#7 any day. PKCS#7 is severely overcomplicated for what we're doing here. --Andy