From patchwork Tue Apr 6 18:53:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12185737 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07ED1C43611 for ; Tue, 6 Apr 2021 18:54:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C88E7613B3 for ; Tue, 6 Apr 2021 18:54:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237335AbhDFSyw (ORCPT ); Tue, 6 Apr 2021 14:54:52 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:3918 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240728AbhDFSx6 (ORCPT ); Tue, 6 Apr 2021 14:53:58 -0400 Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 136IYixS189899; Tue, 6 Apr 2021 14:53:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=W0JexB3pGbSVM6Gi/s0lWDphouOz+hg8nBrceVRz5NA=; b=S33qW43fvNljiKw3SmiaqMnoqyZXqH2kJy9US0QGfPm1Ji0MImIN31/OfgMj9B+wgEUZ Usmbt/ZwCZWZ7/qN6pTHjDxQTXlMQe4vLmIzRQlxHUYK+ty38wP4IKMl+VUN6Edp/KGY +E+zNl6w/iySxEAJ1oA6LjS6P+JRLGFcOqy2VkyB6eb3iRS0eahuqyrtlMivbUiytaqi 22IZSTzzdAdryH4pj/gOJNtQX5oUSXreVslI1D7NSg0fTnWm0ho3v963PhPvmRkjerI3 SXxcyI06GeP2l/TPVQxBAzN4TDfEkrKUzw3Q0pQPqvgDEwLYJSDEErkRrSkUZRNP4dp5 eA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 37rvmesgfk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Apr 2021 14:53:48 -0400 Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 136IZoZn000764; Tue, 6 Apr 2021 14:53:47 -0400 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 37rvmesgfb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Apr 2021 14:53:47 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.43/8.16.0.43) with SMTP id 136IbCCn009177; Tue, 6 Apr 2021 18:53:47 GMT Received: from b03cxnp07027.gho.boulder.ibm.com (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14]) by ppma01dal.us.ibm.com with ESMTP id 37rvs1085f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Apr 2021 18:53:47 +0000 Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 136IrjWd23134614 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Apr 2021 18:53:45 GMT Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 510BA6A051; Tue, 6 Apr 2021 18:53:45 +0000 (GMT) Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C135B6A057; Tue, 6 Apr 2021 18:53:44 +0000 (GMT) Received: from localhost.localdomain (unknown [9.47.158.152]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Apr 2021 18:53:44 +0000 (GMT) From: Stefan Berger To: keyrings@vger.kernel.org, dhowells@redhat.com, zohar@linux.ibm.com, jarkko@kernel.org Cc: nayna@linux.ibm.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Stefan Berger Subject: [PATCH 1/2] certs: Trigger recreation of module signing key if it's not an RSA key Date: Tue, 6 Apr 2021 14:53:39 -0400 Message-Id: <20210406185340.1079403-2-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210406185340.1079403-1-stefanb@linux.ibm.com> References: <20210406185340.1079403-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: pGnen7d5n5YNdc3RHnezdeAmKb6PHfvx X-Proofpoint-ORIG-GUID: t_y6zRtVxIKoTvYf5CJOfPR3MOMnHgSY X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-04-06_06:2021-04-06,2021-04-06 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 mlxscore=0 adultscore=0 phishscore=0 priorityscore=1501 malwarescore=0 clxscore=1015 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104060127 Precedence: bulk List-ID: Make sure that the kernel module signing key is an RSA key and remove it otherwise so that it gets recreated. Prevent module loading failures if a developer chose an ECDSA key for module signing with a 5.12 kernel and then falls back to compiling an older kernel. However, this will also only work if falling back to kernels that have actually been patched with this kernel, such as the stable trees. Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") Signed-off-by: Stefan Berger --- certs/Makefile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/certs/Makefile b/certs/Makefile index e3185c57fbd8..f64bc89ccbf1 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -59,6 +59,11 @@ silent_redirect_openssl = 2>/dev/null # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") + +X509TEXT=$(shell openssl x509 -in $(CONFIG_MODULE_SIG_KEY) -text) + +$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY))) + $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @$(kecho) "### Now generating an X.509 key pair to be used for signing modules."