| Message ID | 20210211195435.135582-3-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: kernel build support for loading the kernel module signing key | expand |
On 2/11/21 2:54 PM, Nayna Jain wrote: > Loading a key on the IMA trusted keyring requires the key be signed > by an existing key on the builtin or secondary trusted keyring. > Creating a Certificate Signing Request (CSR) allows the certificate > to be self-signed or signed by a CA. > > This patch generates a self-signed module signing key using CSR. > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > --- > Makefile | 3 ++- > certs/Makefile | 15 +++++++++++---- > 2 files changed, 13 insertions(+), 5 deletions(-) > > diff --git a/Makefile b/Makefile > index af18aab6bbee..9c87fdd600d8 100644 > --- a/Makefile > +++ b/Makefile > @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated \ > .config .config.old .version \ > Module.symvers \ > certs/signing_key.pem certs/signing_key.x509 \ > - certs/x509.genkey \ > + certs/x509.genkey certs/signing_key.key \ > + certs/signing_key.crt certs/signing_key.csr \ > vmlinux-gdb.py \ > *.spec > > diff --git a/certs/Makefile b/certs/Makefile > index f4c25b67aad9..b2be7eb413d3 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey > @$(kecho) "### needs to be run as root, and uses a hardware random" > @$(kecho) "### number generator if one is available." > @$(kecho) "###" > - $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ > - -batch -x509 -config $(obj)/x509.genkey \ > - -outform PEM -out $(obj)/signing_key.pem \ > - -keyout $(obj)/signing_key.pem \ > + $(Q)openssl req -new -nodes -utf8 \ > + -batch -config $(obj)/x509.genkey \ > + -outform PEM -out $(obj)/signing_key.csr \ > + -keyout $(obj)/signing_key.key -extensions myexts \ > $($(quiet)redirect_openssl) > + $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ > + -outform PEM -out $(obj)/signing_key.crt \ > + -signkey $(obj)/signing_key.key \ > + -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ > + -extfile $(obj)/x509.genkey \ > + $($(quiet)redirect_openssl) > + @cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem Could you not just rename signing_key.key to signing_key.pem (as it was before) and that would be it? Why do you need the .crt in that pem bundle? Stefan
On Thu, Feb 11, 2021 at 02:54:32PM -0500, Nayna Jain wrote: > Loading a key on the IMA trusted keyring requires the key be signed > by an existing key on the builtin or secondary trusted keyring. > Creating a Certificate Signing Request (CSR) allows the certificate > to be self-signed or signed by a CA. > > This patch generates a self-signed module signing key using CSR. "Generate ..." /Jarkko > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > --- > Makefile | 3 ++- > certs/Makefile | 15 +++++++++++---- > 2 files changed, 13 insertions(+), 5 deletions(-) > > diff --git a/Makefile b/Makefile > index af18aab6bbee..9c87fdd600d8 100644 > --- a/Makefile > +++ b/Makefile > @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated \ > .config .config.old .version \ > Module.symvers \ > certs/signing_key.pem certs/signing_key.x509 \ > - certs/x509.genkey \ > + certs/x509.genkey certs/signing_key.key \ > + certs/signing_key.crt certs/signing_key.csr \ > vmlinux-gdb.py \ > *.spec > > diff --git a/certs/Makefile b/certs/Makefile > index f4c25b67aad9..b2be7eb413d3 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey > @$(kecho) "### needs to be run as root, and uses a hardware random" > @$(kecho) "### number generator if one is available." > @$(kecho) "###" > - $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ > - -batch -x509 -config $(obj)/x509.genkey \ > - -outform PEM -out $(obj)/signing_key.pem \ > - -keyout $(obj)/signing_key.pem \ > + $(Q)openssl req -new -nodes -utf8 \ > + -batch -config $(obj)/x509.genkey \ > + -outform PEM -out $(obj)/signing_key.csr \ > + -keyout $(obj)/signing_key.key -extensions myexts \ > $($(quiet)redirect_openssl) > + $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ > + -outform PEM -out $(obj)/signing_key.crt \ > + -signkey $(obj)/signing_key.key \ > + -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ > + -extfile $(obj)/x509.genkey \ > + $($(quiet)redirect_openssl) > + @cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem > @$(kecho) "###" > @$(kecho) "### Key pair generated." > @$(kecho) "###" > -- > 2.18.1 > >
On 2/11/21 5:01 PM, Stefan Berger wrote: > On 2/11/21 2:54 PM, Nayna Jain wrote: >> Loading a key on the IMA trusted keyring requires the key be signed >> by an existing key on the builtin or secondary trusted keyring. >> Creating a Certificate Signing Request (CSR) allows the certificate >> to be self-signed or signed by a CA. >> >> This patch generates a self-signed module signing key using CSR. >> >> Signed-off-by: Nayna Jain <nayna@linux.ibm.com> >> --- >> Makefile | 3 ++- >> certs/Makefile | 15 +++++++++++---- >> 2 files changed, 13 insertions(+), 5 deletions(-) >> >> diff --git a/Makefile b/Makefile >> index af18aab6bbee..9c87fdd600d8 100644 >> --- a/Makefile >> +++ b/Makefile >> @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config >> include/generated \ >> .config .config.old .version \ >> Module.symvers \ >> certs/signing_key.pem certs/signing_key.x509 \ >> - certs/x509.genkey \ >> + certs/x509.genkey certs/signing_key.key \ >> + certs/signing_key.crt certs/signing_key.csr \ >> vmlinux-gdb.py \ >> *.spec >> diff --git a/certs/Makefile b/certs/Makefile >> index f4c25b67aad9..b2be7eb413d3 100644 >> --- a/certs/Makefile >> +++ b/certs/Makefile >> @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey >> @$(kecho) "### needs to be run as root, and uses a hardware >> random" >> @$(kecho) "### number generator if one is available." >> @$(kecho) "###" >> - $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) >> -days 36500 \ >> - -batch -x509 -config $(obj)/x509.genkey \ >> - -outform PEM -out $(obj)/signing_key.pem \ >> - -keyout $(obj)/signing_key.pem \ >> + $(Q)openssl req -new -nodes -utf8 \ >> + -batch -config $(obj)/x509.genkey \ >> + -outform PEM -out $(obj)/signing_key.csr \ >> + -keyout $(obj)/signing_key.key -extensions myexts \ >> $($(quiet)redirect_openssl) >> + $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ >> + -outform PEM -out $(obj)/signing_key.crt \ >> + -signkey $(obj)/signing_key.key \ >> + -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ >> + -extfile $(obj)/x509.genkey \ >> + $($(quiet)redirect_openssl) >> + @cat $(obj)/signing_key.key $(obj)/signing_key.crt >> >> $(obj)/signing_key.pem > > > Could you not just rename signing_key.key to signing_key.pem (as it > was before) and that would be it? Why do you need the .crt in that pem > bundle? I had also thought so, but the PEM file contains both the private key and the certificate. I found the reasoning in the commit "fb1179499134 modsign: Use single PEM file for autogenerated key". I addressed your other feedback in v2, posted just now. Thanks & Regards, - Nayna
diff --git a/Makefile b/Makefile index af18aab6bbee..9c87fdd600d8 100644 --- a/Makefile +++ b/Makefile @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated \ .config .config.old .version \ Module.symvers \ certs/signing_key.pem certs/signing_key.x509 \ - certs/x509.genkey \ + certs/x509.genkey certs/signing_key.key \ + certs/signing_key.crt certs/signing_key.csr \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..b2be7eb413d3 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### needs to be run as root, and uses a hardware random" @$(kecho) "### number generator if one is available." @$(kecho) "###" - $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ - -batch -x509 -config $(obj)/x509.genkey \ - -outform PEM -out $(obj)/signing_key.pem \ - -keyout $(obj)/signing_key.pem \ + $(Q)openssl req -new -nodes -utf8 \ + -batch -config $(obj)/x509.genkey \ + -outform PEM -out $(obj)/signing_key.csr \ + -keyout $(obj)/signing_key.key -extensions myexts \ $($(quiet)redirect_openssl) + $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ + -outform PEM -out $(obj)/signing_key.crt \ + -signkey $(obj)/signing_key.key \ + -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ + -extfile $(obj)/x509.genkey \ + $($(quiet)redirect_openssl) + @cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem @$(kecho) "###" @$(kecho) "### Key pair generated." @$(kecho) "###"
Loading a key on the IMA trusted keyring requires the key be signed by an existing key on the builtin or secondary trusted keyring. Creating a Certificate Signing Request (CSR) allows the certificate to be self-signed or signed by a CA. This patch generates a self-signed module signing key using CSR. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- Makefile | 3 ++- certs/Makefile | 15 +++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-)