From patchwork Mon Jun 28 21:43:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12348569 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23B74C11F64 for ; Mon, 28 Jun 2021 21:43:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EADA061D00 for ; Mon, 28 Jun 2021 21:43:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233773AbhF1Vpt (ORCPT ); Mon, 28 Jun 2021 17:45:49 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:20618 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232131AbhF1Vps (ORCPT ); Mon, 28 Jun 2021 17:45:48 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15SLYLaD074404; Mon, 28 Jun 2021 17:43:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=uBWd97TMx5OA6ZD2MQbW0exd3CNum/ieZl924+h4O7E=; b=tOu+GOD+Rc/L6Qe5GFTm6dEuNJOcc5F7FrDX0K/bQ/axjZf+NMoNUdYAZJV0DinJj3kM Z6wf33wxBhldcpGi4cp6Y3eJ2uPr3cPN/c+PGNAZHpWS1zC6gekfnrjQTvTXAgihFbII gzLC5x1w0Hk0XYngIK01fwsJfBWnVYL0uv56RjdRPXP6We2TNzuRY18JAidVqi4v5BG6 JQmy8cIoxHln5N8kDQ+/QDb0Bd5+rCYnbihOWZQJzzsGMMmP8xIY83jC3G8JGqwBlUMG NyAq7ZJVPWjz1IwB/4e1vWlfy+yW13JJYMb/T25WXkJ0DHbgpjrihoKFTeD3RST/IJa4 qg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39fhse7qqt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 17:43:15 -0400 Received: from m0098399.ppops.net (m0098399.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15SLYgKk075067; Mon, 28 Jun 2021 17:43:15 -0400 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 39fhse7qqe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 17:43:15 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 15SLck5D021294; Mon, 28 Jun 2021 21:43:13 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma02wdc.us.ibm.com with ESMTP id 39duvaxwrk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 21:43:13 +0000 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 15SLhDOb38863320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 28 Jun 2021 21:43:13 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 68C1A12405A; Mon, 28 Jun 2021 21:43:13 +0000 (GMT) Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5886F124055; Mon, 28 Jun 2021 21:43:13 +0000 (GMT) Received: from localhost.localdomain (unknown [9.47.158.152]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 28 Jun 2021 21:43:13 +0000 (GMT) From: Stefan Berger To: jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org Cc: nayna@linux.ibm.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, torvalds@linux-foundation.org, Stefan Berger Subject: [PATCH v7 1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key Date: Mon, 28 Jun 2021 17:43:03 -0400 Message-Id: <20210628214304.4165769-2-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210628214304.4165769-1-stefanb@linux.vnet.ibm.com> References: <20210628214304.4165769-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: AOb5SHs4XETGiTs9YXPnBbWAaqtjpaDA X-Proofpoint-GUID: GbkD8Vf6ONottfEHQpdps7tFfanVY9cY X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-06-28_14:2021-06-25,2021-06-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 bulkscore=0 phishscore=0 adultscore=0 spamscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 malwarescore=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106280140 Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org From: Stefan Berger Address a kbuild issue where a developer created an ECDSA key for signing kernel modules and then builds an older version of the kernel, when bi- secting the kernel for example, that does not support ECDSA keys. If openssl is installed, trigger the creation of an RSA module signing key if it is not an RSA key. Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") Signed-off-by: Stefan Berger Cc: David Howells Cc: David Woodhouse Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- certs/Makefile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/certs/Makefile b/certs/Makefile index 359239a0ee9e..f9344e52ecda 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -57,11 +57,19 @@ endif redirect_openssl = 2>&1 quiet_redirect_openssl = 2>&1 silent_redirect_openssl = 2>/dev/null +openssl_available = $(shell openssl help 2>/dev/null && echo yes) # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") + +ifeq ($(openssl_available),yes) +X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null) + +$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) +endif + $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @$(kecho) "### Now generating an X.509 key pair to be used for signing modules."