From 3f1e1bea34740069f70c6bc92d0f712345d5c28e Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 20 Jul 2015 21:16:27 +0100 Subject: MODSIGN: Use PKCS#7 messages as module signatures Move to using PKCS#7 messages as module signatures because: (1) We have to be able to support the use of X.509 certificates that don't have a subjKeyId set. We're currently relying on this to look up the X.509 certificate in the trusted keyring list. (2) PKCS#7 message signed information blocks have a field that supplies the data required to match with the X.509 certificate that signed it. (3) The PKCS#7 certificate carries fields that specify the digest algorithm used to generate the signature in a standardised way and the X.509 certificates specify the public key algorithm in a standardised way - so we don't need our own methods of specifying these. (4) We now have PKCS#7 message support in the kernel for signed kexec purposes and we can make use of this. To make this work, the old sign-file script has been replaced with a program that needs compiling in a previous patch. The rules to build it are added here. Signed-off-by: David Howells Tested-by: Vivek Goyal --- init/Kconfig | 1 + 1 file changed, 1 insertion(+) (limited to 'init/Kconfig') diff --git a/init/Kconfig b/init/Kconfig index af09b4fb43d2..e16d9e587cee 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1869,6 +1869,7 @@ config MODULE_SIG select ASN1 select OID_REGISTRY select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER help Check modules for valid signatures upon load: the signature is simply appended to the module. For more information see -- cgit v1.2.3 From 091f6e26eb326adbd718f406e440c838bed8ebb6 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 20 Jul 2015 21:16:28 +0100 Subject: MODSIGN: Extract the blob PKCS#7 signature verifier from module signing Extract the function that drives the PKCS#7 signature verification given a data blob and a PKCS#7 blob out from the module signing code and lump it with the system keyring code as it's generic. This makes it independent of module config options and opens it to use by the firmware loader. Signed-off-by: David Howells Cc: Luis R. Rodriguez Cc: Rusty Russell Cc: Ming Lei Cc: Seth Forshee Cc: Kyle McMartin --- init/Kconfig | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) (limited to 'init/Kconfig') diff --git a/init/Kconfig b/init/Kconfig index e16d9e587cee..14b3d8422502 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1752,6 +1752,24 @@ config SYSTEM_TRUSTED_KEYRING Keys in this keyring are used by module signature checking. +config SYSTEM_DATA_VERIFICATION + def_bool n + select SYSTEM_TRUSTED_KEYRING + select KEYS + select CRYPTO + select ASYMMETRIC_KEY_TYPE + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select PUBLIC_KEY_ALGO_RSA + select ASN1 + select OID_REGISTRY + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + help + Provide PKCS#7 message verification using the contents of the system + trusted keyring to provide public keys. This then can be used for + module verification, kexec image verification and firmware blob + verification. + config PROFILING bool "Profiling support" help @@ -1860,16 +1878,7 @@ config MODULE_SRCVERSION_ALL config MODULE_SIG bool "Module signature verification" depends on MODULES - select SYSTEM_TRUSTED_KEYRING - select KEYS - select CRYPTO - select ASYMMETRIC_KEY_TYPE - select ASYMMETRIC_PUBLIC_KEY_SUBTYPE - select PUBLIC_KEY_ALGO_RSA - select ASN1 - select OID_REGISTRY - select X509_CERTIFICATE_PARSER - select PKCS7_MESSAGE_PARSER + select SYSTEM_DATA_VERIFICATION help Check modules for valid signatures upon load: the signature is simply appended to the module. For more information see -- cgit v1.2.3 From 19e91b69d77bab16405cc284b451378e89a4110c Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 20 Jul 2015 21:16:29 +0100 Subject: modsign: Allow external signing key to be specified Signed-off-by: David Woodhouse Signed-off-by: David Howells --- init/Kconfig | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'init/Kconfig') diff --git a/init/Kconfig b/init/Kconfig index 14b3d8422502..1b1148e9181b 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1948,6 +1948,20 @@ config MODULE_SIG_HASH default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512 +config MODULE_SIG_KEY + string "File name or PKCS#11 URI of module signing key" + default "signing_key.priv" + depends on MODULE_SIG + help + Provide the file name of a private key in PKCS#8 PEM format, or + a PKCS#11 URI according to RFC7512. The corresponding X.509 + certificate in DER form should be present in signing_key.x509 + in the top-level build directory. + + If this option is unchanged from its default "signing_key.priv", + then the kernel will automatically generate the private key and + certificate as described in Documentation/module-signing.txt + config MODULE_COMPRESS bool "Compress modules on installation" depends on MODULES -- cgit v1.2.3 From 1329e8cc69b93a0b1bc6d197b30dcff628c18dbf Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 20 Jul 2015 21:16:30 +0100 Subject: modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed Where an external PEM file or PKCS#11 URI is given, we can get the cert from it for ourselves instead of making the user drop signing_key.x509 in place for us. Signed-off-by: David Woodhouse Signed-off-by: David Howells --- init/Kconfig | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'init/Kconfig') diff --git a/init/Kconfig b/init/Kconfig index 1b1148e9181b..e2e0a1d27886 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1953,10 +1953,10 @@ config MODULE_SIG_KEY default "signing_key.priv" depends on MODULE_SIG help - Provide the file name of a private key in PKCS#8 PEM format, or - a PKCS#11 URI according to RFC7512. The corresponding X.509 - certificate in DER form should be present in signing_key.x509 - in the top-level build directory. + Provide the file name of a private key/certificate in PEM format, + or a PKCS#11 URI according to RFC7512. The file should contain, or + the URI should identify, both the certificate and its corresponding + private key. If this option is unchanged from its default "signing_key.priv", then the kernel will automatically generate the private key and -- cgit v1.2.3 From fb1179499134bc718dc7557c7a6a95dc72f224cb Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 20 Jul 2015 21:16:30 +0100 Subject: modsign: Use single PEM file for autogenerated key The current rule for generating signing_key.priv and signing_key.x509 is a classic example of a bad rule which has a tendency to break parallel make. When invoked to create *either* target, it generates the other target as a side-effect that make didn't predict. So let's switch to using a single file signing_key.pem which contains both key and certificate. That matches what we do in the case of an external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also slightly cleaner. Signed-off-by: David Woodhouse Signed-off-by: David Howells --- init/Kconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'init/Kconfig') diff --git a/init/Kconfig b/init/Kconfig index e2e0a1d27886..2b119850784b 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1950,7 +1950,7 @@ config MODULE_SIG_HASH config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" - default "signing_key.priv" + default "signing_key.pem" depends on MODULE_SIG help Provide the file name of a private key/certificate in PEM format, @@ -1958,7 +1958,7 @@ config MODULE_SIG_KEY the URI should identify, both the certificate and its corresponding private key. - If this option is unchanged from its default "signing_key.priv", + If this option is unchanged from its default "signing_key.pem", then the kernel will automatically generate the private key and certificate as described in Documentation/module-signing.txt -- cgit v1.2.3 From 99d27b1b52bd5cdf9bd9f7661ca8641e9a1b55e6 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 20 Jul 2015 21:16:31 +0100 Subject: modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option Let the user explicitly provide a file containing trusted keys, instead of just automatically finding files matching *.x509 in the build tree and trusting whatever we find. This really ought to be an *explicit* configuration, and the build rules for dealing with the files were fairly painful too. Fix applied from James Morris that removes an '=' from a macro definition in kernel/Makefile as this is a feature that only exists from GNU make 3.82 onwards. Signed-off-by: David Woodhouse Signed-off-by: David Howells --- init/Kconfig | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'init/Kconfig') diff --git a/init/Kconfig b/init/Kconfig index 2b119850784b..62b725653c36 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1752,6 +1752,19 @@ config SYSTEM_TRUSTED_KEYRING Keys in this keyring are used by module signature checking. +config SYSTEM_TRUSTED_KEYS + string "Additional X.509 keys for default system keyring" + depends on SYSTEM_TRUSTED_KEYRING + help + If set, this option should be the filename of a PEM-formatted file + containing trusted X.509 certificates to be included in the default + system keyring. Any certificate used for module signing is implicitly + also trusted. + + NOTE: If you previously provided keys for the system keyring in the + form of DER-encoded *.x509 files in the top-level build directory, + those are no longer used. You will need to set this option instead. + config SYSTEM_DATA_VERIFICATION def_bool n select SYSTEM_TRUSTED_KEYRING -- cgit v1.2.3 From 228c37ff980f5643401a1667f5ab7c6f38602cf8 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 11 Aug 2015 12:38:54 +0100 Subject: sign-file: Document dependency on OpenSSL devel libraries The revised sign-file program is no longer a script that wraps the openssl program, but now rather a program that makes use of OpenSSL's crypto library. This means that to build the sign-file program, the kernel build process now has a dependency on the OpenSSL development packages in addition to OpenSSL itself. Document this in Kconfig and in module-signing.txt. Signed-off-by: David Howells Reviewed-by: David Woodhouse --- init/Kconfig | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'init/Kconfig') diff --git a/init/Kconfig b/init/Kconfig index 62b725653c36..5d1a703663ad 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1897,6 +1897,10 @@ config MODULE_SIG is simply appended to the module. For more information see Documentation/module-signing.txt. + Note that this option adds the OpenSSL development packages as a + kernel build dependency so that the signing tool can use its crypto + library. + !!!WARNING!!! If you enable this option, you MUST make sure that the module DOES NOT get stripped after being signed. This includes the debuginfo strip done by some packagers (such as rpmbuild) and -- cgit v1.2.3 From cfc411e7fff3e15cd6354ff69773907e2c9d1c0c Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 14 Aug 2015 15:20:41 +0100 Subject: Move certificate handling to its own directory Move certificate handling out of the kernel/ directory and into a certs/ directory to get all the weird stuff in one place and move the generated signing keys into this directory. Signed-off-by: David Howells Reviewed-by: David Woodhouse --- init/Kconfig | 39 --------------------------------------- 1 file changed, 39 deletions(-) (limited to 'init/Kconfig') diff --git a/init/Kconfig b/init/Kconfig index 5d1a703663ad..5526dfaac628 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1740,31 +1740,6 @@ config MMAP_ALLOW_UNINITIALIZED See Documentation/nommu-mmap.txt for more information. -config SYSTEM_TRUSTED_KEYRING - bool "Provide system-wide ring of trusted keys" - depends on KEYS - help - Provide a system keyring to which trusted keys can be added. Keys in - the keyring are considered to be trusted. Keys may be added at will - by the kernel from compiled-in data and from hardware key stores, but - userspace may only add extra keys if those keys can be verified by - keys already in the keyring. - - Keys in this keyring are used by module signature checking. - -config SYSTEM_TRUSTED_KEYS - string "Additional X.509 keys for default system keyring" - depends on SYSTEM_TRUSTED_KEYRING - help - If set, this option should be the filename of a PEM-formatted file - containing trusted X.509 certificates to be included in the default - system keyring. Any certificate used for module signing is implicitly - also trusted. - - NOTE: If you previously provided keys for the system keyring in the - form of DER-encoded *.x509 files in the top-level build directory, - those are no longer used. You will need to set this option instead. - config SYSTEM_DATA_VERIFICATION def_bool n select SYSTEM_TRUSTED_KEYRING @@ -1965,20 +1940,6 @@ config MODULE_SIG_HASH default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512 -config MODULE_SIG_KEY - string "File name or PKCS#11 URI of module signing key" - default "signing_key.pem" - depends on MODULE_SIG - help - Provide the file name of a private key/certificate in PEM format, - or a PKCS#11 URI according to RFC7512. The file should contain, or - the URI should identify, both the certificate and its corresponding - private key. - - If this option is unchanged from its default "signing_key.pem", - then the kernel will automatically generate the private key and - certificate as described in Documentation/module-signing.txt - config MODULE_COMPRESS bool "Compress modules on installation" depends on MODULES -- cgit v1.2.3