| Message ID | 1442218417-24897-1-git-send-email-apw@canonical.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Herbert Xu |
| Headers | show |
Andy Whitcroft <apw@canonical.com> wrote: > This leads us to truncate the id for kernel module signing keys and to > fail to recognise our own modules: > > [ 1.572423] Loaded X.509 cert 'Build time autogenerated kernel > key: 62a7c3d2da278be024da4af8652c071f3fea33' > [ 1.646153] Request for unknown module key 'Build time autogenerated > kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11 I don't suppose you've saved the key and a random small module that I can have a play with? What version of the kernel are you using, btw? David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Sep 15, 2015 at 10:59:43AM +0100, David Howells wrote: > Andy Whitcroft <apw@canonical.com> wrote: > > > This leads us to truncate the id for kernel module signing keys and to > > fail to recognise our own modules: > > > > [ 1.572423] Loaded X.509 cert 'Build time autogenerated kernel > > key: 62a7c3d2da278be024da4af8652c071f3fea33' > > [ 1.646153] Request for unknown module key 'Build time autogenerated > > kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11 > > I don't suppose you've saved the key and a random small module that I can have > a play with? Sorry no, the key was an ephemeral key in those builds. I did run a few key builds to generate a new key with 0's to confirm this was possible. > What version of the kernel are you using, btw? Ahh yes, this was against a v4.2 final, I see that sign-file is all changing to use openssl, so I will go confirm that this is not different as a result. -apw -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 24f17e6..0e16d5e 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -306,10 +306,10 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) } else { srlen = cert->raw_serial_size; q = cert->raw_serial; - } - if (srlen > 1 && *q == 0) { - srlen--; - q++; + if (srlen > 1 && *q == 0) { + srlen--; + q++; + } } ret = -ENOMEM;
In the commit below we added support for use of the subKeyId rather than the raw serial number when forming the in kernel ID: commit dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 Author: David Howells <dhowells@redhat.com> Date: Fri Oct 3 16:17:02 2014 +0100 X.509: If available, use the raw subjKeyId to form the key description However as part of this we subject the subjKeyId to the below prefix strip: if (srlen > 1 && *q == 0) { srlen--; q++; } This leads us to truncate the id for kernel module signing keys and to fail to recognise our own modules: [ 1.572423] Loaded X.509 cert 'Build time autogenerated kernel key: 62a7c3d2da278be024da4af8652c071f3fea33' [ 1.646153] Request for unknown module key 'Build time autogenerated kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11 Only apply the prefix strip to raw serial number. Signed-off-by: Andy Whitcroft <apw@canonical.com> --- crypto/asymmetric_keys/x509_public_key.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) While we are here the prefix strip seems pretty odd, only removing just one 0 byte. Is this meant to strip them all (as a while), or was the intent to strip leading 0s from the hex form? Do we have any background to this change? -apw