Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

kbuild: sign the modules at install time

Linus deleted the old code and put signing on the install command,
I fixed it to extract the keyid and signer-name within sign-file
and cleaned up that script now it always signs in-place.

Some enthusiast should convert sign-key to perl and pull
x509keyid into it.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Rusty Russell and committed by
Linus Torvalds
e2a666d5 c9623de4

+39 -111
+11
Makefile
··· 719 719 export mod_strip_cmd 720 720 721 721 722 + ifeq ($(CONFIG_MODULE_SIG),y) 723 + MODSECKEY = ./signing_key.priv 724 + MODPUBKEY = ./signing_key.x509 725 + export MODPUBKEY 726 + mod_sign_cmd = sh $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY) $(srctree)/scripts/x509keyid 727 + else 728 + mod_sign_cmd = true 729 + endif 730 + export mod_sign_cmd 731 + 732 + 722 733 ifeq ($(KBUILD_EXTMOD),) 723 734 core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ 724 735
+1 -1
scripts/Makefile.modinst
··· 17 17 @: 18 18 19 19 quiet_cmd_modules_install = INSTALL $@ 20 - cmd_modules_install = mkdir -p $(2); cp $@ $(2) ; $(mod_strip_cmd) $(2)/$(notdir $@) 20 + cmd_modules_install = mkdir -p $(2); cp $@ $(2) ; $(mod_strip_cmd) $(2)/$(notdir $@) ; $(mod_sign_cmd) $(2)/$(notdir $@) 21 21 22 22 # Modules built outside the kernel source tree go into extra by default 23 23 INSTALL_MOD_DIR ?= extra
+1 -76
scripts/Makefile.modpost
··· 14 14 # 3) create one <module>.mod.c file pr. module 15 15 # 4) create one Module.symvers file with CRC for all exported symbols 16 16 # 5) compile all <module>.mod.c files 17 - # 6) final link of the module to a <module.ko> (or <module.unsigned>) file 18 - # 7) signs the modules to a <module.ko> file 17 + # 6) final link of the module to a <module.ko> file 19 18 20 19 # Step 3 is used to place certain information in the module's ELF 21 20 # section, including information such as: ··· 31 32 32 33 # Step 4 is solely used to allow module versioning in external modules, 33 34 # where the CRC of each module is retrieved from the Module.symvers file. 34 - 35 - # Step 7 is dependent on CONFIG_MODULE_SIG being enabled. 36 35 37 36 # KBUILD_MODPOST_WARN can be set to avoid error out in case of undefined 38 37 # symbols in the final module linking stage ··· 116 119 targets += $(modules:.ko=.mod.o) 117 120 118 121 # Step 6), final link of the modules 119 - ifneq ($(CONFIG_MODULE_SIG),y) 120 122 quiet_cmd_ld_ko_o = LD [M] $@ 121 123 cmd_ld_ko_o = $(LD) -r $(LDFLAGS) \ 122 124 $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \ ··· 125 129 $(call if_changed,ld_ko_o) 126 130 127 131 targets += $(modules) 128 - else 129 - quiet_cmd_ld_ko_unsigned_o = LD [M] $@ 130 - cmd_ld_ko_unsigned_o = \ 131 - $(LD) -r $(LDFLAGS) \ 132 - $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \ 133 - -o $@ $(filter-out FORCE,$^) \ 134 - $(if $(AFTER_LINK),; $(AFTER_LINK)) 135 132 136 - $(modules:.ko=.ko.unsigned): %.ko.unsigned :%.o %.mod.o FORCE 137 - $(call if_changed,ld_ko_unsigned_o) 138 - 139 - targets += $(modules:.ko=.ko.unsigned) 140 - 141 - # Step 7), sign the modules 142 - MODSECKEY = ./signing_key.priv 143 - MODPUBKEY = ./signing_key.x509 144 - 145 - ifeq ($(wildcard $(MODSECKEY))+$(wildcard $(MODPUBKEY)),$(MODSECKEY)+$(MODPUBKEY)) 146 - ifeq ($(KBUILD_SRC),) 147 - # no O= is being used 148 - SCRIPTS_DIR := scripts 149 - else 150 - SCRIPTS_DIR := $(KBUILD_SRC)/scripts 151 - endif 152 - SIGN_MODULES := 1 153 - else 154 - SIGN_MODULES := 0 155 - endif 156 - 157 - # only sign if it's an in-tree module 158 - ifneq ($(KBUILD_EXTMOD),) 159 - SIGN_MODULES := 0 160 - endif 161 - 162 - # We strip the module as best we can - note that using both strip and eu-strip 163 - # results in a smaller module than using either alone. 164 - EU_STRIP = $(shell which eu-strip || echo true) 165 - 166 - quiet_cmd_sign_ko_stripped_ko_unsigned = STRIP [M] $@ 167 - cmd_sign_ko_stripped_ko_unsigned = \ 168 - cp $< $@ && \ 169 - strip -x -g $@ && \ 170 - $(EU_STRIP) $@ 171 - 172 - ifeq ($(SIGN_MODULES),1) 173 - 174 - quiet_cmd_genkeyid = GENKEYID $@ 175 - cmd_genkeyid = \ 176 - perl $(SCRIPTS_DIR)/x509keyid $< $<.signer $<.keyid 177 - 178 - %.signer %.keyid: % 179 - $(call if_changed,genkeyid) 180 - 181 - KEYRING_DEP := $(MODSECKEY) $(MODPUBKEY) $(MODPUBKEY).signer $(MODPUBKEY).keyid 182 - quiet_cmd_sign_ko_ko_stripped = SIGN [M] $@ 183 - cmd_sign_ko_ko_stripped = \ 184 - sh $(SCRIPTS_DIR)/sign-file $(MODSECKEY) $(MODPUBKEY) $< $@ 185 - else 186 - KEYRING_DEP := 187 - quiet_cmd_sign_ko_ko_unsigned = NO SIGN [M] $@ 188 - cmd_sign_ko_ko_unsigned = \ 189 - cp $< $@ 190 - endif 191 - 192 - $(modules): %.ko :%.ko.stripped $(KEYRING_DEP) FORCE 193 - $(call if_changed,sign_ko_ko_stripped) 194 - 195 - $(patsubst %.ko,%.ko.stripped,$(modules)): %.ko.stripped :%.ko.unsigned FORCE 196 - $(call if_changed,sign_ko_stripped_ko_unsigned) 197 - 198 - targets += $(modules) 199 - endif 200 133 201 134 # Add FORCE to the prequisites of a target to force it to be always rebuilt. 202 135 # ---------------------------------------------------------------------------
+18 -26
scripts/sign-file
··· 1 - #!/bin/sh 1 + #!/bin/bash 2 2 # 3 3 # Sign a module file using the given key. 4 4 # 5 - # Format: sign-file <key> <x509> <src-file> <dst-file> 5 + # Format: sign-file <key> <x509> <keyid-script> <module> 6 6 # 7 7 8 8 scripts=`dirname $0` ··· 15 15 16 16 key="$1" 17 17 x509="$2" 18 - src="$3" 19 - dst="$4" 18 + keyid_script="$3" 19 + mod="$4" 20 20 21 21 if [ ! -r "$key" ] 22 22 then ··· 28 28 then 29 29 echo "Can't read X.509 certificate" >&2 30 30 exit 2 31 - fi 32 - if [ ! -r "$x509.signer" ] 33 - then 34 - echo "Can't read Signer name" >&2 35 - exit 2; 36 - fi 37 - if [ ! -r "$x509.keyid" ] 38 - then 39 - echo "Can't read Key identifier" >&2 40 - exit 2; 41 31 fi 42 32 43 33 # ··· 73 83 74 84 ( 75 85 perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $? 76 - openssl dgst $dgst -binary $src || exit $? 77 - ) >$src.dig || exit $? 86 + openssl dgst $dgst -binary $mod || exit $? 87 + ) >$mod.dig || exit $? 78 88 79 89 # 80 90 # Generate the binary signature, which will be just the integer that comprises 81 91 # the signature with no metadata attached. 82 92 # 83 - openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $? 84 - signerlen=`stat -c %s $x509.signer` 85 - keyidlen=`stat -c %s $x509.keyid` 86 - siglen=`stat -c %s $src.sig` 93 + openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $? 94 + 95 + SIGNER="`perl $keyid_script $x509 signer-name`" 96 + KEYID="`perl $keyid_script $x509 keyid`" 97 + keyidlen=${#KEYID} 98 + siglen=${#SIGNER} 87 99 88 100 # 89 101 # Build the signed binary 90 102 # 91 103 ( 92 - cat $src || exit $? 104 + cat $mod || exit $? 93 105 echo '~Module signature appended~' || exit $? 94 - cat $x509.signer $x509.keyid || exit $? 106 + echo -n "$SIGNER" || exit $? 107 + echo -n "$KEYID" || exit $? 95 108 96 109 # Preface each signature integer with a 2-byte BE length 97 110 perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $? 98 - cat $src.sig || exit $? 111 + cat $mod.sig || exit $? 99 112 100 113 # Generate the information block 101 114 perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $? 102 - ) >$dst~ || exit $? 115 + ) >$mod~ || exit $? 103 116 104 - # Permit in-place signing 105 - mv $dst~ $dst || exit $? 117 + mv $mod~ $mod || exit $?
+8 -8
scripts/x509keyid
··· 22 22 23 23 my $raw_data; 24 24 25 - die "Need three filenames\n" if ($#ARGV != 2); 25 + die "Need a filename [keyid|signer-name]\n" if ($#ARGV != 1); 26 26 27 27 my $src = $ARGV[0]; 28 28 ··· 259 259 260 260 my $id_key_id = asn1_retrieve($subject_key_id->[1]); 261 261 262 - open(OUTFD, ">$ARGV[1]") || die $ARGV[1]; 263 - print OUTFD $id_name; 264 - close OUTFD || die $ARGV[1]; 265 - 266 - open(OUTFD, ">$ARGV[2]") || die $ARGV[2]; 267 - print OUTFD $id_key_id; 268 - close OUTFD || die $ARGV[2]; 262 + if ($ARGV[1] eq "signer-name") { 263 + print $id_name; 264 + } elsif ($ARGV[1] eq "keyid") { 265 + print $id_key_id; 266 + } else { 267 + die "Unknown arg"; 268 + }