modsign: Allow external signing key to be specified
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Howells <dhowells@redhat.com>hifive-unleashed-5.1
David Woodhouse
David Howells
parent
6e3e281f39
commit
19e91b69d7
|
|
@ -88,6 +88,22 @@ This has a number of options available:
|
|||
than being a module) so that modules signed with that algorithm can have
|
||||
their signatures checked without causing a dependency loop.
|
||||
|
||||
(4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
|
||||
|
||||
Setting this option to something other than its default of
|
||||
"signing_key.priv" will disable the autogeneration of signing keys and
|
||||
allow the kernel modules to be signed with a key of your choosing.
|
||||
The string provided should identify a file containing a private key
|
||||
in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11 is
|
||||
appropriately installed — a PKCS#11 URI as defined by RFC7512.
|
||||
|
||||
If the PEM file containing the private key is encrypted, or if the
|
||||
PKCS#11 token requries a PIN, this can be provided at build time by
|
||||
means of the KBUILD_SIGN_PIN variable.
|
||||
|
||||
The corresponding X.509 certificate in DER form should still be placed
|
||||
in a file named signing_key.x509 in the top-level build directory.
|
||||
|
||||
|
||||
=======================
|
||||
GENERATING SIGNING KEYS
|
||||
|
|
@ -100,8 +116,9 @@ it can be deleted or stored securely. The public key gets built into the
|
|||
kernel so that it can be used to check the signatures as the modules are
|
||||
loaded.
|
||||
|
||||
Under normal conditions, the kernel build will automatically generate a new
|
||||
keypair using openssl if one does not exist in the files:
|
||||
Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its
|
||||
default of "signing_key.priv", the kernel build will automatically generate
|
||||
a new keypair using openssl if one does not exist in the files:
|
||||
|
||||
signing_key.priv
|
||||
signing_key.x509
|
||||
|
|
@ -135,8 +152,12 @@ kernel sources tree and the openssl command. The following is an example to
|
|||
generate the public/private key files:
|
||||
|
||||
openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
|
||||
-config x509.genkey -outform DER -out signing_key.x509 \
|
||||
-keyout signing_key.priv
|
||||
-config x509.genkey -outform PEM -out kernel_key.pem \
|
||||
-keyout kernel_key.pem
|
||||
|
||||
The full pathname for the resulting kernel_key.pem file can then be specified
|
||||
in the CONFIG_MODULE_SIG_KEY option, and the certificate and key therein will
|
||||
be used instead of an autogenerated keypair.
|
||||
|
||||
|
||||
=========================
|
||||
|
|
@ -181,7 +202,7 @@ To manually sign a module, use the scripts/sign-file tool available in
|
|||
the Linux kernel source tree. The script requires 4 arguments:
|
||||
|
||||
1. The hash algorithm (e.g., sha256)
|
||||
2. The private key filename
|
||||
2. The private key filename or PKCS#11 URI
|
||||
3. The public key filename
|
||||
4. The kernel module to be signed
|
||||
|
||||
|
|
|
|||
2
Makefile
2
Makefile
|
|
@ -870,7 +870,7 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4
|
|||
# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
|
||||
|
||||
ifdef CONFIG_MODULE_SIG_ALL
|
||||
MODSECKEY = ./signing_key.priv
|
||||
MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
|
||||
MODPUBKEY = ./signing_key.x509
|
||||
export MODPUBKEY
|
||||
mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
|
||||
|
|
|
|||
14
init/Kconfig
14
init/Kconfig
|
|
@ -1948,6 +1948,20 @@ config MODULE_SIG_HASH
|
|||
default "sha384" if MODULE_SIG_SHA384
|
||||
default "sha512" if MODULE_SIG_SHA512
|
||||
|
||||
config MODULE_SIG_KEY
|
||||
string "File name or PKCS#11 URI of module signing key"
|
||||
default "signing_key.priv"
|
||||
depends on MODULE_SIG
|
||||
help
|
||||
Provide the file name of a private key in PKCS#8 PEM format, or
|
||||
a PKCS#11 URI according to RFC7512. The corresponding X.509
|
||||
certificate in DER form should be present in signing_key.x509
|
||||
in the top-level build directory.
|
||||
|
||||
If this option is unchanged from its default "signing_key.priv",
|
||||
then the kernel will automatically generate the private key and
|
||||
certificate as described in Documentation/module-signing.txt
|
||||
|
||||
config MODULE_COMPRESS
|
||||
bool "Compress modules on installation"
|
||||
depends on MODULES
|
||||
|
|
|
|||
|
|
@ -170,6 +170,10 @@ ifndef CONFIG_MODULE_SIG_HASH
|
|||
$(error Could not determine digest type to use from kernel config)
|
||||
endif
|
||||
|
||||
# We do it this way rather than having a boolean option for enabling an
|
||||
# external private key, because 'make randconfig' might enable such a
|
||||
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
|
||||
ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")
|
||||
signing_key.priv signing_key.x509: x509.genkey
|
||||
@echo "###"
|
||||
@echo "### Now generating an X.509 key pair to be used for signing modules."
|
||||
|
|
@ -207,3 +211,4 @@ x509.genkey:
|
|||
@echo >>x509.genkey "subjectKeyIdentifier=hash"
|
||||
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
|
||||
endif
|
||||
endif
|
||||
|
|
|
|||
Loading…
Reference in New Issue