MODSIGN: Add option to define PKCS11 module

Commit Message

Sergei Iudin Oct. 6, 2021, 6:29 p.m. UTC

In order to use PKCS11 engine user have to specify a PKCS11 module.
There is two approaches:
- [0] Global openssl config
- [1] Programmatic call of ENGINE_ctrl_cmd
the option mention in rfc7512 [2] to pass it as part of URI is not
implemented in openssl([3]).
Changing global openssl config is not always feasible, especially for
cases when system may run multiple not fully isolated builds at a time.
In order to make it possible to define build-wide PKCS11 module use
environment variable `KBUILD_PKCS11_MODULE`.

[0] https://bit.ly/3myVWsE
[1] https://github.com/OpenSC/libp11/blob/master/README.md#engine-controls
[2] https://datatracker.ietf.org/doc/html/rfc7512
[3] https://pastebin.com/SfabcxTN

Signed-off-by: Sergei Iudin <tsipa740@gmail.com>
---
 Documentation/admin-guide/module-signing.rst | 3 ++-
 Documentation/kbuild/kbuild.rst              | 5 +++++
 scripts/sign-file.c                          | 6 ++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

Comments

David Woodhouse Oct. 6, 2021, 6:32 p.m. UTC | #1

On Wed, 2021-10-06 at 11:29 -0700, Sergei Iudin wrote:
> In order to use PKCS11 engine user have to specify a PKCS11 module.

No, that shouldn't be necessary at all. The engine can be built to use
p11-kit-proxy.so as its default module, which loads the system p11-kit
configuration (including the user's own configuration which they can
add modules to without needing privileges). All the correct slots
should be available by default.

Patch

diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
index 7d7c7c8a545c..e3179fcf78e0 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -230,7 +230,8 @@  doesn't, you should make sure that hash algorithm is either built into the
 kernel or can be loaded without requiring itself.
 
 If the private key requires a passphrase or PIN, it can be provided in the
-$KBUILD_SIGN_PIN environment variable.
+$KBUILD_SIGN_PIN environment variable. If you want to specify non-default
+PKCS11 module you can define it via $KBUILD_PKCS11_MODULE variable.
 
 
 ============================
diff --git a/Documentation/kbuild/kbuild.rst b/Documentation/kbuild/kbuild.rst
index 2d1fc03d346e..a7ee781b69c2 100644
--- a/Documentation/kbuild/kbuild.rst
+++ b/Documentation/kbuild/kbuild.rst
@@ -223,6 +223,11 @@  KBUILD_SIGN_PIN
 This variable allows a passphrase or PIN to be passed to the sign-file
 utility when signing kernel modules, if the private key requires such.
 
+KBUILD_PKCS11_MODULE
+---------------
+This variable allows to specify PKCS11 module to be passed to the
+sign-file utility when signing kernel modules with PKCS11 engine.
+
 KBUILD_MODPOST_WARN
 -------------------
 KBUILD_MODPOST_WARN can be set to avoid errors in case of undefined
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 2dbfc6e630f4..72823800684b 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -112,6 +112,7 @@  static void drain_openssl_errors(void)
 	} while(0)
 
 static const char *key_pass;
+static const char *pkcs11_module;
 
 static int pem_pw_cb(char *buf, int len, int w, void *v)
 {
@@ -150,6 +151,10 @@  static EVP_PKEY *read_private_key(const char *private_key_name)
 		if (key_pass)
 			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
 			    "Set PKCS#11 PIN");
+		if (pkcs11_module)
+			ERR(!ENGINE_ctrl_cmd_string(e, "MODULE_PATH",
+			    pkcs11_module, 0),
+			    "Set PKCS#11 module");
 		private_key = ENGINE_load_private_key(e, private_key_name,
 						      NULL, NULL);
 		ERR(!private_key, "%s", private_key_name);
@@ -234,6 +239,7 @@  int main(int argc, char **argv)
 	ERR_clear_error();
 
 	key_pass = getenv("KBUILD_SIGN_PIN");
+	pkcs11_module = getenv("KBUILD_PKCS11_MODULE");
 
 #ifndef USE_PKCS7
 	use_signed_attrs = CMS_NOATTR;