From patchwork Wed Nov 25 07:26:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 11930495 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1800A16C1 for ; Wed, 25 Nov 2020 07:27:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E46F020665 for ; Wed, 25 Nov 2020 07:27:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="n0o0SlL1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726562AbgKYH1Q (ORCPT ); Wed, 25 Nov 2020 02:27:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59104 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725308AbgKYH1O (ORCPT ); Wed, 25 Nov 2020 02:27:14 -0500 Received: from mail-pg1-x541.google.com (mail-pg1-x541.google.com [IPv6:2607:f8b0:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 596BEC0613D4; Tue, 24 Nov 2020 23:27:14 -0800 (PST) Received: by mail-pg1-x541.google.com with SMTP id l17so1652277pgk.1; Tue, 24 Nov 2020 23:27:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Fk1XjhsIVpehEyUHjISdm6QYmnqvAVbB3cg/2P5Gk18=; b=n0o0SlL1+1PT5jqL4CTl0B8R2UXghHx2/sEr+eFg3Azi7TkDjI5Q/n1pMdYsliN5/B cd/8pGi7OnBCj+9iYZBybH+PwIOZRdhftteWXDGHP5s7ZZcIGj3ObueCPNTZQl53FOvy aOc+KLsm2dG/dfs8qQgj7QB63VcUrT+MrPJ/ncsqnghVY+0AfMCW+rSc7kb2IpBS8iTT pj6nf2+jSvV10xe2O5de9ZvsVb8DS09u+nyXc0Dwekpwuy48X7lHSmg5qm6fXQJlJ6UL fO2bcl3NyAw7zBP4RiRP+gqWZQnu9NJ3xIZRPGxMA05lgyH6bPY+eAjByqkEKNiFS6Tr N64A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Fk1XjhsIVpehEyUHjISdm6QYmnqvAVbB3cg/2P5Gk18=; b=JG1Lchi7+2yAUtylCAkiRoO0e4FaNoPEFjtQcjkfFAlKwbq8tI+QpPr10ArhLEPR9k fxLCYPIQUCQz09e9UACDtRx8vz3AXhEz3PCCsGKcNCaxjjmVgsZjVoRVWejyQQcB369a foV/Qew1jwM0Nw/oH/Sd1fRwyoFNmoXcPwbweEwxhdLIuywp2f3i3Z8XOIeqiF8wcWaE S0o5ytADXUFALW7nL2lCwfwxxR1IOEAEoT3VMAWFaXUQs3/TeDZxG0p8wA+Iq1Nm56wq lYNksjG+pV+BBkidc4rbMf+Rqep5+b6yRggvoNU5AuVF9bGmMHsE2Dk+8Hw9+bgjkWTv Z6fA== X-Gm-Message-State: AOAM533HUGMSbTfTQfdXEHkAk69dYCxrCuOkoNm8ZVKIW+TmMwzWpx21 QGyerH242ZHM2mguXtiq4ps= X-Google-Smtp-Source: ABdhPJyLEF0ODODWWyFtQ+ruhMTpceqSB3vmhY4GPP9pjc1lvT3aRip3Zud/4t8oiD0LIv8JNLiyJw== X-Received: by 2002:a17:90a:8909:: with SMTP id u9mr2667026pjn.100.1606289233997; Tue, 24 Nov 2020 23:27:13 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id q7sm1006055pfh.91.2020.11.24.23.27.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Nov 2020 23:27:13 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v2 1/4] X.509: Add CodeSigning extended key usage parsing Date: Wed, 25 Nov 2020 15:26:50 +0800 Message-Id: <20201125072653.15657-2-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20201125072653.15657-1-jlee@suse.com> References: <20201125072653.15657-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org This patch adds the logic for parsing the CodeSign extended key usage extension in X.509. The parsing result will be set to the eku flag which is carried by public key. It can be used in the PKCS#7 verification. Signed-off-by: "Lee, Chun-Yi" --- crypto/asymmetric_keys/x509_cert_parser.c | 24 ++++++++++++++++++++++++ include/crypto/public_key.h | 1 + include/linux/oid_registry.h | 5 +++++ 3 files changed, 30 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 52c9b455fc7d..65721313b265 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -497,6 +497,8 @@ int x509_process_extension(void *context, size_t hdrlen, struct x509_parse_context *ctx = context; struct asymmetric_key_id *kid; const unsigned char *v = value; + int i = 0; + enum OID oid; pr_debug("Extension: %u\n", ctx->last_oid); @@ -526,6 +528,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_extKeyUsage) { + if (v[0] != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ) || + v[1] != vlen - 2) + return -EBADMSG; + i += 2; + + while (i < vlen) { + /* A 10 bytes EKU OID Octet blob = + * ASN1_OID + size byte + 8 bytes OID */ + if (v[i] != ASN1_OID || v[i + 1] != 8 || (i + 10) > vlen) + return -EBADMSG; + + oid = look_up_OID(v + i + 2, v[i + 1]); + if (oid == OID_codeSigning) { + ctx->cert->pub->eku |= EKU_codeSigning; + } + i += 10; + } + pr_debug("extKeyUsage: %d\n", ctx->cert->pub->eku); + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 948c5203ca9c..07a1b28460a2 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -29,6 +29,7 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned int eku : 9; /* Extended Key Usage (9-bit) */ }; extern void public_key_free(struct public_key *key); diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index 4462ed2c18cd..e20e8eb53b21 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -113,9 +113,14 @@ enum OID { OID_SM2_with_SM3, /* 1.2.156.10197.1.501 */ OID_sm3WithRSAEncryption, /* 1.2.156.10197.1.504 */ + /* Extended key purpose OIDs [RFC 5280] */ + OID_codeSigning, /* 1.3.6.1.5.5.7.3.3 */ + OID__NR }; +#define EKU_codeSigning (1 << 2) + extern enum OID look_up_OID(const void *data, size_t datasize); extern int sprint_oid(const void *, size_t, char *, size_t); extern int sprint_OID(enum OID, char *, size_t); From patchwork Wed Nov 25 07:26:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 11930497 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5952815E6 for ; Wed, 25 Nov 2020 07:27:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2FB9420665 for ; Wed, 25 Nov 2020 07:27:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="o5yR1Qnc" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727247AbgKYH1S (ORCPT ); Wed, 25 Nov 2020 02:27:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59116 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725308AbgKYH1S (ORCPT ); Wed, 25 Nov 2020 02:27:18 -0500 Received: from mail-pg1-x543.google.com (mail-pg1-x543.google.com [IPv6:2607:f8b0:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1506BC0613D4; Tue, 24 Nov 2020 23:27:18 -0800 (PST) Received: by mail-pg1-x543.google.com with SMTP id l17so1652448pgk.1; Tue, 24 Nov 2020 23:27:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=rEVQORojpxPILZoW25n2HNyuoMNfuJyQRA19mYILOf8=; b=o5yR1QncWtHI7laziJnIVWi41OACz/GkEpSxGJOmf5GD+LJomt+70NTmT95cO/Xyba OybniIp3Pj/jxXZXmkxxd7S0Bu+zyo6YYBvMAeMn3B4XM9i9fhvnGLhRFlfGWK+jpiFU zt4YC4jUBqzFwvspqVwBTTgK6my6adGAvENBOCv/ehpWc3K3XcIcuKDg7Zdxeg4kcTSH T5eekai1hme6HRsNQwDnvv4cXLmeviSo+NyUQGKdHz+LiBWwBuH10GE4FcWhoF3LFsCY NWiHS70IdxUkdMWbVBJceId1hiXOr0LKFrqAdi1rlMNsqhQzwDlkdy8MyAW7shLQJqgc 81/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=rEVQORojpxPILZoW25n2HNyuoMNfuJyQRA19mYILOf8=; b=UQ5GutJuHmb0TH6klo3HlfKuOOcvCMyLDxLigJhI5eMTR1Z+ViFS5NvUdsdou+bUFO eBDmonc+4HeAOJcPjGFQE8CoQiZdywjkJoHkRqhn3xcmkbjceNtdzoE3r0KId5jWQhQR rovFeG28cVuMq5ablg4MXnShHUJYOMl2pTidSeh7xQ2WFExfLqZ5v7X/bN7zlEKzK7FG IqJiKXOsYN85ht00mdqgTE1r6wQwWrzzJp92DnIoF4YDPODBROmOu0a/Cuhh76nX4QdV 3y5hB7dqUsDuxo28fPVvE7TI8wSv/SvNSM7yQ6Yudp7f7X818TWY6IhzL6tpTbkJ8cB8 JQGQ== X-Gm-Message-State: AOAM531H4qJoac/rFcGFh4ISihV3aWKHtAACa3e83TkwB5EER2TAkPqL qDNtTBfkxlXHu+/DPbGmJ0A= X-Google-Smtp-Source: ABdhPJw6C3b7fcys7nNw/xkapoD+30YZQvOvYZUOXMpRHBAetMf1GJScjGsyE1i8tc6u8NF0vwiFVw== X-Received: by 2002:a65:518a:: with SMTP id h10mr2077147pgq.340.1606289237684; Tue, 24 Nov 2020 23:27:17 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id q7sm1006055pfh.91.2020.11.24.23.27.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Nov 2020 23:27:17 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v2 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Date: Wed, 25 Nov 2020 15:26:51 +0800 Message-Id: <20201125072653.15657-3-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20201125072653.15657-1-jlee@suse.com> References: <20201125072653.15657-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org This patch adds the logic for checking the CodeSigning extended key usage when verifying signature of kernel module or kexec PE binary in PKCS#7. Signed-off-by: "Lee, Chun-Yi" --- certs/system_keyring.c | 2 +- crypto/asymmetric_keys/Kconfig | 9 +++++++++ crypto/asymmetric_keys/pkcs7_trust.c | 37 +++++++++++++++++++++++++++++++++--- include/crypto/pkcs7.h | 3 ++- 4 files changed, 46 insertions(+), 5 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 798291177186..4104f5465d8a 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -242,7 +242,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len, goto error; } } - ret = pkcs7_validate_trust(pkcs7, trusted_keys); + ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage); if (ret < 0) { if (ret == -ENOKEY) pr_devel("PKCS#7 signature not signed with a trusted key\n"); diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 1f1f004dc757..1754812df989 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -96,4 +96,13 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. +config CHECK_CODESIGN_EKU + bool "Check codeSigning extended key usage" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION + help + This option provides support for checking the codeSigning extended + key usage when verifying the signature in PKCS#7. It affects kernel + module verification and kexec PE binary verification. + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 61af3c4d82cc..1d2318ff63db 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -16,12 +16,36 @@ #include #include "pkcs7_parser.h" +#ifdef CONFIG_CHECK_CODESIGN_EKU +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + struct public_key *public_key = key->payload.data[asym_crypto]; + + switch (usage) { + case VERIFYING_MODULE_SIGNATURE: + case VERIFYING_KEXEC_PE_SIGNATURE: + return !!(public_key->eku & EKU_codeSigning); + default: + break; + } + return true; +} +#else +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + return true; +} +#endif + /** * Check the trust on one PKCS#7 SignedInfo block. */ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct public_key_signature *sig = sinfo->sig; struct x509_certificate *x509, *last = NULL, *p; @@ -112,6 +136,12 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return -ENOKEY; matched: + if (!check_codesign_eku(key, usage)) { + pr_warn("sinfo %u: The signer %x key is not CodeSigning\n", + sinfo->index, key_serial(key)); + key_put(key); + return -ENOKEY; + } ret = verify_signature(key, sig); key_put(key); if (ret < 0) { @@ -156,7 +186,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * May also return -ENOMEM. */ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct pkcs7_signed_info *sinfo; struct x509_certificate *p; @@ -167,7 +198,7 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, p->seen = false; for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { - ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring); + ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring, usage); switch (ret) { case -ENOKEY: continue; diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..b3b48240ba73 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -30,7 +30,8 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, * pkcs7_trust.c */ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring); + struct key *trust_keyring, + enum key_being_used_for usage); /* * pkcs7_verify.c From patchwork Wed Nov 25 07:26:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 11930499 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 98548697 for ; Wed, 25 Nov 2020 07:27:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6EA7820665 for ; Wed, 25 Nov 2020 07:27:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AGPccole" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727776AbgKYH12 (ORCPT ); Wed, 25 Nov 2020 02:27:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59140 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727320AbgKYH11 (ORCPT ); Wed, 25 Nov 2020 02:27:27 -0500 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C7A1DC0613D4; Tue, 24 Nov 2020 23:27:27 -0800 (PST) Received: by mail-pl1-x630.google.com with SMTP id t18so691238plo.0; Tue, 24 Nov 2020 23:27:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=QytjAJtOx4I9dfHfggs5vaGHYdTZvLqDyfwbAQPftuk=; b=AGPccolegAy/JTxbZTRik5q3o3O+8z1qRwZ/CCC43DSGsHPequcD8wL06G0o2ByfTs XTAgHeg9SPavC9mvQP/43lqJoP6jMt6fwEzs/m1/hKocEIwA89dc/+S8I7dZ1LTk+loi tKrr/PmlkvNlOYqFJOAjlg+hBkLJm67e0LMBb3hH8IuT2JwWiv53rretOXKmhAPZVpEr SXSTRghRGDsANU6WZEpDYp/d9a3foqSpKeXE6V5nOFnGaT3ukfWQDz+ql1+AGU+ca4ch Fp9ASdQs0Oe5Gn4ib2tjiw+XEUflsrl3eBxVHOFOVE/enoX3R0bzST87MceKLr9lOoIR xXdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=QytjAJtOx4I9dfHfggs5vaGHYdTZvLqDyfwbAQPftuk=; b=GEWQGodbwesUsdgCaT8zNX5C/ozAnEUvyiYrEUpD1Ss8SNXixbbVEyuXwOr0JoeB5v iwG+IJZ3wI/S1OD5v0PqmJQv+RR7W7My6R5hp8ZI+S3u32MPoiHk58TVqYJGufR7bgLs SiuApmRYwBNW9BqOCKYyfgFRw35XqegJ7KP2Yd8bloZRSV1N6Pic3DCvZPtytXXU5GZq F4+d5QiUMJpona2Xke79K4c+yctexQQA4RjrlA5Zpqmw0WQ46wh6L2KftpDN4sondGOB 35KjhhWJeez7BQUy+E7+9YjhENHDYXbVAdvitB0cqGiXJXlolT9VJbb6Uy1p+JKLxcgv FqIA== X-Gm-Message-State: AOAM5308cLCbA2J8QO4VOSek8xei4hpELJaMhJ7qnzURdCYGmZBJ7Lfm ZEQERVIwUtT0wtMQMGN5RvA= X-Google-Smtp-Source: ABdhPJxEgXZx0sAKB+tNSuDqythnugaAG612pEytg50cJnYRoq+WLherCoVY0F2FGexzFymveIKB9A== X-Received: by 2002:a17:902:7fc9:b029:d6:c372:a04b with SMTP id t9-20020a1709027fc9b02900d6c372a04bmr2133396plb.4.1606289247443; Tue, 24 Nov 2020 23:27:27 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id q7sm1006055pfh.91.2020.11.24.23.27.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Nov 2020 23:27:26 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 3/4] modsign: Add codeSigning EKU when generating X.509 key generation config Date: Wed, 25 Nov 2020 15:26:52 +0800 Message-Id: <20201125072653.15657-4-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20201125072653.15657-1-jlee@suse.com> References: <20201125072653.15657-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Add codeSigning EKU to the X.509 key generation config for the build time autogenerated kernel key. Signed-off-by: "Lee, Chun-Yi" --- certs/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..1ef4d6ca43b7 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -88,6 +88,7 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ "extendedKeyUsage=codeSigning" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) From patchwork Wed Nov 25 07:26:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 11930501 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A83AB15E6 for ; Wed, 25 Nov 2020 07:28:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 837DC20665 for ; Wed, 25 Nov 2020 07:28:18 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GAuDDIGo" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727976AbgKYH1d (ORCPT ); Wed, 25 Nov 2020 02:27:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727320AbgKYH1d (ORCPT ); Wed, 25 Nov 2020 02:27:33 -0500 Received: from mail-pf1-x443.google.com (mail-pf1-x443.google.com [IPv6:2607:f8b0:4864:20::443]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 589F8C0613D4; Tue, 24 Nov 2020 23:27:33 -0800 (PST) Received: by mail-pf1-x443.google.com with SMTP id t8so1483707pfg.8; Tue, 24 Nov 2020 23:27:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=EtMyIIa0dfE/QxK1mo3o94wUXlDlUpOZPp8wYKgkTzw=; b=GAuDDIGoz/9BjdCLAX04/32hETUiy4Y/DNu0ABD2vXYvye7w29Sg5wLDbijD0LT1Od G8qBzBfvisETGWWgel0V7vLklretDFquuVvOiGj24DcwR5FnI6SItOXI6YTEoP2IRSUD Vw/r4wq1z1BBUnSnqwnUjo0kDGT7idCBPtBW8Ye2iU61M+c3buiJDZTHPt78YcwMWx6e 9fwKRKiL/Dt5QfvYZ6X00w57TRIu+0oDizsMty0JAGM3YWXUzozLewXdNZ72W/PSKdXG nw7FvozffiqqXXN1+XejOdjT9c57FzTRde39pGP5oPuEZFzSblL6Rl7N6MxmeefgTjv2 0F+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=EtMyIIa0dfE/QxK1mo3o94wUXlDlUpOZPp8wYKgkTzw=; b=ZXMLY8/V0FdC/T7df6Two0BKXzIVJPYj+wfxfT2v815DMio0bkzDuCZCkBKx2TOmTe Ju4vJlPu+MfyUY0452cR3oHpEgij4f9OIKfNHCzNxFs+hTvOhBacAcQtX3cacKq2Opqy 7HO5T5KZDjaH0QonW7EHjlUsj+xciwT0VmhB1lF/XQyKJm7j06dhGgWZVLWeS/Xlz2YN g3BvHHZtps72MW8S8k0G9AF1T34XNyehB50wX8Df+5BYUb4woOz3bL73SA6UeD1topVE aeyIUsuos0KL0dko3vPmx2DX5rLoq3PvFzJwpylf+IglvBkmyFn2bcR6oxUPZTIq275Q ajHA== X-Gm-Message-State: AOAM532atMzZSwfGD8TqXqREUL28GZSbAlbjnX6naxGd/9Pd8mCm3da4 jcutglRrvOLgofj49cseD2WeapdC6gI= X-Google-Smtp-Source: ABdhPJxtv1hHifHhJ432ltFaM2mpBjgORSGHWd1aQFRx5D9QizTblsSkNjhiNT6hwmnCsCce6Y7J3g== X-Received: by 2002:a17:90a:6041:: with SMTP id h1mr2601701pjm.35.1606289253026; Tue, 24 Nov 2020 23:27:33 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id q7sm1006055pfh.91.2020.11.24.23.27.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Nov 2020 23:27:32 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU Date: Wed, 25 Nov 2020 15:26:53 +0800 Message-Id: <20201125072653.15657-5-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20201125072653.15657-1-jlee@suse.com> References: <20201125072653.15657-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Add an openssl command option example for generating CodeSign extended key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU be enabled. Signed-off-by: "Lee, Chun-Yi" --- Documentation/admin-guide/module-signing.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst index f8b584179cff..bc184124d646 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -170,6 +170,12 @@ generate the public/private key files:: -config x509.genkey -outform PEM -out kernel_key.pem \ -keyout kernel_key.pem +When ``CONFIG_CHECK_CODESIGN_EKU`` option be enabled, the following openssl +command option should be added for generating CodeSign extended key usage in +X.509:: + + -addext "extendedKeyUsage=codeSigning" + The full pathname for the resulting kernel_key.pem file can then be specified in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will be used instead of an autogenerated keypair.