modsign: Allow external signing key to be specified

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
David Woodhouse 2015-07-20 21:16:29 +01:00 committed by David Howells
parent 6e3e281f39
commit 19e91b69d7
4 changed files with 46 additions and 6 deletions

View File

@ -88,6 +88,22 @@ This has a number of options available:
than being a module) so that modules signed with that algorithm can have
their signatures checked without causing a dependency loop.
(4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
Setting this option to something other than its default of
"signing_key.priv" will disable the autogeneration of signing keys and
allow the kernel modules to be signed with a key of your choosing.
The string provided should identify a file containing a private key
in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11 is
appropriately installed — a PKCS#11 URI as defined by RFC7512.
If the PEM file containing the private key is encrypted, or if the
PKCS#11 token requries a PIN, this can be provided at build time by
means of the KBUILD_SIGN_PIN variable.
The corresponding X.509 certificate in DER form should still be placed
in a file named signing_key.x509 in the top-level build directory.
=======================
GENERATING SIGNING KEYS
@ -100,8 +116,9 @@ it can be deleted or stored securely. The public key gets built into the
kernel so that it can be used to check the signatures as the modules are
loaded.
Under normal conditions, the kernel build will automatically generate a new
keypair using openssl if one does not exist in the files:
Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its
default of "signing_key.priv", the kernel build will automatically generate
a new keypair using openssl if one does not exist in the files:
signing_key.priv
signing_key.x509
@ -135,8 +152,12 @@ kernel sources tree and the openssl command. The following is an example to
generate the public/private key files:
openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
-config x509.genkey -outform DER -out signing_key.x509 \
-keyout signing_key.priv
-config x509.genkey -outform PEM -out kernel_key.pem \
-keyout kernel_key.pem
The full pathname for the resulting kernel_key.pem file can then be specified
in the CONFIG_MODULE_SIG_KEY option, and the certificate and key therein will
be used instead of an autogenerated keypair.
=========================
@ -181,7 +202,7 @@ To manually sign a module, use the scripts/sign-file tool available in
the Linux kernel source tree. The script requires 4 arguments:
1. The hash algorithm (e.g., sha256)
2. The private key filename
2. The private key filename or PKCS#11 URI
3. The public key filename
4. The kernel module to be signed

View File

@ -870,7 +870,7 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4
# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
ifdef CONFIG_MODULE_SIG_ALL
MODSECKEY = ./signing_key.priv
MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
MODPUBKEY = ./signing_key.x509
export MODPUBKEY
mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)

View File

@ -1948,6 +1948,20 @@ config MODULE_SIG_HASH
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
config MODULE_SIG_KEY
string "File name or PKCS#11 URI of module signing key"
default "signing_key.priv"
depends on MODULE_SIG
help
Provide the file name of a private key in PKCS#8 PEM format, or
a PKCS#11 URI according to RFC7512. The corresponding X.509
certificate in DER form should be present in signing_key.x509
in the top-level build directory.
If this option is unchanged from its default "signing_key.priv",
then the kernel will automatically generate the private key and
certificate as described in Documentation/module-signing.txt
config MODULE_COMPRESS
bool "Compress modules on installation"
depends on MODULES

View File

@ -170,6 +170,10 @@ ifndef CONFIG_MODULE_SIG_HASH
$(error Could not determine digest type to use from kernel config)
endif
# We do it this way rather than having a boolean option for enabling an
# external private key, because 'make randconfig' might enable such a
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")
signing_key.priv signing_key.x509: x509.genkey
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@ -207,3 +211,4 @@ x509.genkey:
@echo >>x509.genkey "subjectKeyIdentifier=hash"
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
endif
endif