From patchwork Fri Apr 9 02:46:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 12192863 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 501DBC433B4 for ; Fri, 9 Apr 2021 02:47:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 14731610F7 for ; Fri, 9 Apr 2021 02:47:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232913AbhDICra (ORCPT ); Thu, 8 Apr 2021 22:47:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43712 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232839AbhDICr3 (ORCPT ); Thu, 8 Apr 2021 22:47:29 -0400 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D6DBC061760; Thu, 8 Apr 2021 19:47:17 -0700 (PDT) Received: by mail-pl1-x62e.google.com with SMTP id u7so219658plr.6; Thu, 08 Apr 2021 19:47:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7xtegNsLq1BrppoFpeV19FwALB/ET7XzOcPVqqrlNjU=; b=E0Cr7TG1DlW1FReCIix6qHtZ7Q7tghjCDLvvAURlH8YnUcORzAPFLQtLebhef5wRn7 lV070Kmv8VAi+eyEqT9blpD4LdBr0IDf2sbV8e9QU89+3bu7hwMD6a9FVNj7OC7cfIt5 mNrAG9/TbG2V3N/EC4bAC5wuLMrZW8qhVOzqKxs7TOmk0pXPrjxYVzLIEqDxvnwNLbZt AxsKHtxbeU33Exzgk7yZr4S2lf427w4PnVhsqfHQ+ZmYr3ZOTfw5F57oyo3Uu9eYLrgM oPEg8k8He33mFfrDrGXrtX691HEKOz1oUeKOaXUF2f57MjMnU3rNAXI05ac2v89r4xuT UCJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7xtegNsLq1BrppoFpeV19FwALB/ET7XzOcPVqqrlNjU=; b=dTBcCTm+Z9aeHCJzIcvIRWKOfqJ57EQ0IRYExgvR2GNpnPvZoJOt813d+nIM+35GHQ jmhmbwX4d4eFKof65QwCIgFi2S37yr86OdP5S8EiCRTt21wVEQ89qHkkLCZQUA+o3p9J OYl6UEr7qQphlGxT5RaPM8CR+Js3ArsQwBnZG3x1b7S5rM3znHbKh4U57eVXrIQhCRT1 HgC9reBEmSGrWonHvZ+ybwtv7NooPb6cLYt3LrRSd8SNbdj+xUswKXXlY0oV0yzEGsFM jhHe7+cMHcvNugWXobM51Jh+A3+UEeb1CzpQD2m7YbYhkshCS4DUrKXBYpqz3PDaQigv Hptw== X-Gm-Message-State: AOAM532u4ztj4iVkcKWeSmw/R9SvfjnsLBqDwEvo6/xjdy4KplG8cjpW du1nJFSDrLbNgCjaequvedI= X-Google-Smtp-Source: ABdhPJxqGr+l7wLQ6Vxxe1xxCf72EMnFm7ikMfbF++g9cIFP8E/OmUtnS3LrlsziJiowRViu32g92w== X-Received: by 2002:a17:90a:8b07:: with SMTP id y7mr11203304pjn.78.1617936436641; Thu, 08 Apr 2021 19:47:16 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id d26sm665525pfo.162.2021.04.08.19.47.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Apr 2021 19:47:16 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 1/4] X.509: Add CodeSigning extended key usage parsing Date: Fri, 9 Apr 2021 10:46:53 +0800 Message-Id: <20210409024656.8083-2-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210409024656.8083-1-jlee@suse.com> References: <20210409024656.8083-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org This patch adds the logic for parsing the CodeSign extended key usage extension in X.509. The parsing result will be set to the eku flag which is carried by public key. It can be used in the PKCS#7 verification. Signed-off-by: "Lee, Chun-Yi" --- crypto/asymmetric_keys/x509_cert_parser.c | 24 ++++++++++++++++++++++++ include/crypto/public_key.h | 1 + include/linux/oid_registry.h | 5 +++++ 3 files changed, 30 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 52c9b455fc7d..65721313b265 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -497,6 +497,8 @@ int x509_process_extension(void *context, size_t hdrlen, struct x509_parse_context *ctx = context; struct asymmetric_key_id *kid; const unsigned char *v = value; + int i = 0; + enum OID oid; pr_debug("Extension: %u\n", ctx->last_oid); @@ -526,6 +528,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_extKeyUsage) { + if (v[0] != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ) || + v[1] != vlen - 2) + return -EBADMSG; + i += 2; + + while (i < vlen) { + /* A 10 bytes EKU OID Octet blob = + * ASN1_OID + size byte + 8 bytes OID */ + if (v[i] != ASN1_OID || v[i + 1] != 8 || (i + 10) > vlen) + return -EBADMSG; + + oid = look_up_OID(v + i + 2, v[i + 1]); + if (oid == OID_codeSigning) { + ctx->cert->pub->eku |= EKU_codeSigning; + } + i += 10; + } + pr_debug("extKeyUsage: %d\n", ctx->cert->pub->eku); + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..1ccaebe2a28b 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,7 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned int eku : 9; /* Extended Key Usage (9-bit) */ }; extern void public_key_free(struct public_key *key); diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index 4462ed2c18cd..e20e8eb53b21 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -113,9 +113,14 @@ enum OID { OID_SM2_with_SM3, /* 1.2.156.10197.1.501 */ OID_sm3WithRSAEncryption, /* 1.2.156.10197.1.504 */ + /* Extended key purpose OIDs [RFC 5280] */ + OID_codeSigning, /* 1.3.6.1.5.5.7.3.3 */ + OID__NR }; +#define EKU_codeSigning (1 << 2) + extern enum OID look_up_OID(const void *data, size_t datasize); extern int sprint_oid(const void *, size_t, char *, size_t); extern int sprint_OID(enum OID, char *, size_t); From patchwork Fri Apr 9 02:46:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 12192865 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1605C433ED for ; Fri, 9 Apr 2021 02:47:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9E6E2610A7 for ; Fri, 9 Apr 2021 02:47:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232960AbhDICrk (ORCPT ); Thu, 8 Apr 2021 22:47:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232921AbhDICrc (ORCPT ); Thu, 8 Apr 2021 22:47:32 -0400 Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A6ABC061760; Thu, 8 Apr 2021 19:47:20 -0700 (PDT) Received: by mail-pf1-x433.google.com with SMTP id d124so3226672pfa.13; Thu, 08 Apr 2021 19:47:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=3jn01rfak00HumWqfPS+bL637Js5LvIW2OJzeMurQFU=; b=C8XsRsOwGl6B6axyiJl4Lk1gGg2EWbrdM+6Iue17vTDGQqWXDv9vYWbKUGab4cCDP2 7RcG4HN63UIopzwMgP1AInDdeXqQkJbUBIkekl237UWCHAhHXHgsVkDkLCDGo73bmO30 +dOMFQoUCypWCC7ts/jxuq8Bc12QJr7Ed4qwYXYUFYnhSls2Hzg6SQ87olFb5nmEptzW EkQwDK4vo8WaU6a2LmhDUg+O3zlEodn8/8hugDBJ9jv925Uc3oiXBzYTwRANzbbW5TQ4 0sxORvnR6kqNVTp7gg764Ad5smyMtE/wJ66C6Nfn8EwhomApYjHD/4q8ep+H9T9p4TP/ wQYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=3jn01rfak00HumWqfPS+bL637Js5LvIW2OJzeMurQFU=; b=UN8789robeocJt9XI126xq60ze1sxSF4LTkjUzgTtFdP6B1VWRZJMh3b/e77zUgGMJ Bom1ma4pp/XEk1wYIQyYH03mgjTSzOguWp5vEFcyKsNAAElQFcdkCLcKKot83CqqtVhJ fS6Rcmv8gI483j+3HOnhUNU/YKLNEy1UQECDsoFFpIcDX7eqrGtmlsz6QFSuUYp5B4ji LrfexpFZxgE9nvARYjiBIdB2S/7gcSPDFUkp/H709pl6sz6b4uQ00sTZTiWl56ZZbQ2g 4QK8q/O8ZTIAcT3IxvH9ZX6EcDT9Pkmd0vmtOp+vXlK5Kl8knLpvDSnNm3Rww7GRSVmd DKOg== X-Gm-Message-State: AOAM5301chf5PbvDanlrkNqUf9ICCYuGeyQ7ZKUdsr12Z1INaYWAyqwd PGE+Pj6QA1vKV6OcklMXK24= X-Google-Smtp-Source: ABdhPJzKYaKccq9qRJQ9bdCw8N71xOBGpM9EzSkIIr+keAt1IF8yeP+TtujxlqM3P9UUMqo/jJ36Sw== X-Received: by 2002:a05:6a00:1484:b029:214:23e5:a4f3 with SMTP id v4-20020a056a001484b029021423e5a4f3mr10478722pfu.26.1617936439654; Thu, 08 Apr 2021 19:47:19 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id d26sm665525pfo.162.2021.04.08.19.47.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Apr 2021 19:47:19 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Date: Fri, 9 Apr 2021 10:46:54 +0800 Message-Id: <20210409024656.8083-3-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210409024656.8083-1-jlee@suse.com> References: <20210409024656.8083-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org This patch adds the logic for checking the CodeSigning extended key usage when verifying signature of kernel module or kexec PE binary in PKCS#7. Signed-off-by: "Lee, Chun-Yi" --- certs/system_keyring.c | 2 +- crypto/asymmetric_keys/Kconfig | 9 +++++++++ crypto/asymmetric_keys/pkcs7_trust.c | 37 +++++++++++++++++++++++++++++++++--- include/crypto/pkcs7.h | 3 ++- 4 files changed, 46 insertions(+), 5 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 4b693da488f1..c9f8bca0b0d3 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -243,7 +243,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len, goto error; } } - ret = pkcs7_validate_trust(pkcs7, trusted_keys); + ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage); if (ret < 0) { if (ret == -ENOKEY) pr_devel("PKCS#7 signature not signed with a trusted key\n"); diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 1f1f004dc757..1754812df989 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -96,4 +96,13 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. +config CHECK_CODESIGN_EKU + bool "Check codeSigning extended key usage" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION + help + This option provides support for checking the codeSigning extended + key usage when verifying the signature in PKCS#7. It affects kernel + module verification and kexec PE binary verification. + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index b531df2013c4..077bfef928b6 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -16,12 +16,36 @@ #include #include "pkcs7_parser.h" +#ifdef CONFIG_CHECK_CODESIGN_EKU +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + struct public_key *public_key = key->payload.data[asym_crypto]; + + switch (usage) { + case VERIFYING_MODULE_SIGNATURE: + case VERIFYING_KEXEC_PE_SIGNATURE: + return !!(public_key->eku & EKU_codeSigning); + default: + break; + } + return true; +} +#else +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + return true; +} +#endif + /* * Check the trust on one PKCS#7 SignedInfo block. */ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct public_key_signature *sig = sinfo->sig; struct x509_certificate *x509, *last = NULL, *p; @@ -112,6 +136,12 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return -ENOKEY; matched: + if (!check_codesign_eku(key, usage)) { + pr_warn("sinfo %u: The signer %x key is not CodeSigning\n", + sinfo->index, key_serial(key)); + key_put(key); + return -ENOKEY; + } ret = verify_signature(key, sig); key_put(key); if (ret < 0) { @@ -156,7 +186,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * May also return -ENOMEM. */ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct pkcs7_signed_info *sinfo; struct x509_certificate *p; @@ -167,7 +198,7 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, p->seen = false; for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { - ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring); + ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring, usage); switch (ret) { case -ENOKEY: continue; diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..b3b48240ba73 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -30,7 +30,8 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, * pkcs7_trust.c */ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring); + struct key *trust_keyring, + enum key_being_used_for usage); /* * pkcs7_verify.c From patchwork Fri Apr 9 02:46:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 12192867 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94514C433ED for ; Fri, 9 Apr 2021 02:47:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7286E610C9 for ; Fri, 9 Apr 2021 02:47:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232981AbhDICr7 (ORCPT ); Thu, 8 Apr 2021 22:47:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232921AbhDICr6 (ORCPT ); Thu, 8 Apr 2021 22:47:58 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC460C061760; Thu, 8 Apr 2021 19:47:46 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id k23-20020a17090a5917b02901043e35ad4aso4223045pji.3; Thu, 08 Apr 2021 19:47:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=QytjAJtOx4I9dfHfggs5vaGHYdTZvLqDyfwbAQPftuk=; b=i/K9h4YW6A2fIy2yDkallCCGIuwxoLh0gKtuFLpC7aztwA3x7ZB21w1DxKrD6jKdG8 l0grh/KEjZeIQ4PVNOq8ggxY5A0T9XaUFexKu/Bu9/RGVP9/NNinSL+aqZOhK9fQ2Rki pUXcW0JBt6R/rBrhfnA9IegVrIZPoUQjEA4VrOeWPUUph/rC8+r1i4enamOwUq5JUPJT oH5miDt8DyOAvoeUqn85GRZHLAqT+F4uN80Vr7gLJdD/O+IRMN1/09q+qm4WSo1a83vG PmvUYeFQhCTyYffzdsfbCFDKJVEXy5mjogTspczsLIBlxOp2psv4oTz93lWNoQppIRAD Pf4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=QytjAJtOx4I9dfHfggs5vaGHYdTZvLqDyfwbAQPftuk=; b=Rh5iiLkWSHQHxFaP9GmTC+5p7M4fTSVI5B7/x6VEiDH4Vf95lEgiHdmpJMOgKLE1VZ 9wjUthAOHcFvnw3hJJHSW0U82Z0ibUBDwKVV564egN3W2OmwD2hrFeZdWVruCmATOy4I q3paPEpAUJDcLcIyP2QbQn3Te2IdfPiEki6ZzMNiLglKOKJuW6od9XdY2ThDP8gK1WbV Ncc1OHJLOmU31p0YEYWxJv9dnOce5c84GS6YTxUSrHTGPYnHi4XnV6R6o/UKoyXdkohS eBPmBB35kKOR7hP07axFz+Zt+2oZtlY8LSyn+Pa8wTC2r8o8a79bCkTIaZ7RC34ZiXSU ltCQ== X-Gm-Message-State: AOAM533T/Plx72ix2Dih+8glGT9H/b+9/i6WoAJMFS47njPbRG6fRYu7 essQsaGTT5Q/HALJocMJz5k= X-Google-Smtp-Source: ABdhPJxUQzK2QE+1orTe/CQsrE3oZzq1vMo6G2M1AeklWhD3XIMPG9QYTFiwk6qPsAtyxRcVzdYnIw== X-Received: by 2002:a17:902:bc48:b029:e9:aebd:b509 with SMTP id t8-20020a170902bc48b02900e9aebdb509mr1199149plz.0.1617936466535; Thu, 08 Apr 2021 19:47:46 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id d26sm665525pfo.162.2021.04.08.19.47.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Apr 2021 19:47:46 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 3/4] modsign: Add codeSigning EKU when generating X.509 key generation config Date: Fri, 9 Apr 2021 10:46:55 +0800 Message-Id: <20210409024656.8083-4-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210409024656.8083-1-jlee@suse.com> References: <20210409024656.8083-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Add codeSigning EKU to the X.509 key generation config for the build time autogenerated kernel key. Signed-off-by: "Lee, Chun-Yi" --- certs/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..1ef4d6ca43b7 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -88,6 +88,7 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ "extendedKeyUsage=codeSigning" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) From patchwork Fri Apr 9 02:46:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 12192869 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2982CC433B4 for ; Fri, 9 Apr 2021 02:47:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F1F90611CA for ; Fri, 9 Apr 2021 02:47:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233049AbhDICsC (ORCPT ); Thu, 8 Apr 2021 22:48:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43838 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232921AbhDICsB (ORCPT ); Thu, 8 Apr 2021 22:48:01 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AEE6AC061760; Thu, 8 Apr 2021 19:47:49 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id g10so2017678plt.8; Thu, 08 Apr 2021 19:47:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wB1I6Nqq7AfdRuGhioLL2RWvT/EvSUrtBmeOoGNpC4c=; b=m6llg1wz1AbvRLP0qKhVjJidA0yD+i4LsoBJ6TfkuD9vnR6jyqNnTzfVsq6VPlkZrm DQP64fvm6kJQkRWdrQptJbTtjnBz/4aL8GYABAvauNucff1sUg6/oS7Ya3O86ZmwpZkQ L1FBYM1A5reg1N0LbpjR13lI9uRIP6GrAXUjn4uWDEoac/5VuOUzgDbqwyE9FqxijXqp 6oiKv/s+v/xpPdivKYc38MX9O6CV6uq+44JjDRAkf0sWEsJ+DDPiY7HwYyO6t6Ke9JoM lhVh2OPTIVD3qEb+p5b/krUgqsPC2chn3LzRVYumb/lW60UFU319y21iTyORgVW4p1AK ErCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=wB1I6Nqq7AfdRuGhioLL2RWvT/EvSUrtBmeOoGNpC4c=; b=tTWT50owUosFLFQMY0jyabGt1nBmTOoiQSuWF3ZQpsmCVrhbXhn8ny33P5F7ck/ymN wF3pLp8S+TzyXrXS0iiBsJD57avghmTTiVA1hN24ZzhapSkzF3yEDz8bnjzD9JwpwPYf eNaMVxW/nLjcUUTr/5XHIIpxVwtIRrtlkbbit7hqSQQxxRqSh232wkgtaqWG/mG/t0Db yR//s1fSTMxb6MYNzrIpJQOwnI56D4JxEzbaWL2Kg7F3oVXlI9mSDVESedseYYTMbHrp xZKEQQ93fmggNqtWYRMnMv+0rTuuleKFt1ylMyKLnAsvlg36gfCcJ2W5w2DgBiOGZ2YK Ag0g== X-Gm-Message-State: AOAM531htF8ui6ot2nkRO/gxDAQGmMGChEJ5W7z1VNqjJKuPbIKg4PRI LzmADTfjEKvj1YjZA/rZdOk= X-Google-Smtp-Source: ABdhPJxUYDPGfXbWq6ZhgcPjptCXqH2cmifLVZBYRe/Vs49P/0+eEQ4Hxh/QRFDGUb/2TZdNZVPTvA== X-Received: by 2002:a17:902:b210:b029:e6:33b4:cd9e with SMTP id t16-20020a170902b210b02900e633b4cd9emr10575859plr.67.1617936469326; Thu, 08 Apr 2021 19:47:49 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id d26sm665525pfo.162.2021.04.08.19.47.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Apr 2021 19:47:49 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU Date: Fri, 9 Apr 2021 10:46:56 +0800 Message-Id: <20210409024656.8083-5-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210409024656.8083-1-jlee@suse.com> References: <20210409024656.8083-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Add an openssl command option example for generating CodeSign extended key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU is enabled. Signed-off-by: "Lee, Chun-Yi" --- Documentation/admin-guide/module-signing.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst index 7d7c7c8a545c..ca3b8f19466c 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -170,6 +170,12 @@ generate the public/private key files:: -config x509.genkey -outform PEM -out kernel_key.pem \ -keyout kernel_key.pem +When ``CONFIG_CHECK_CODESIGN_EKU`` option is enabled, the following openssl +command option should be added where for generating CodeSign extended key usage +in X.509:: + + -addext "extendedKeyUsage=codeSigning" + The full pathname for the resulting kernel_key.pem file can then be specified in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will be used instead of an autogenerated keypair.