From patchwork Wed Jun 2 14:35:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12294877 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7622C4708F for ; Wed, 2 Jun 2021 14:36:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C31D8610A1 for ; Wed, 2 Jun 2021 14:36:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231866AbhFBOhx (ORCPT ); Wed, 2 Jun 2021 10:37:53 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:5814 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S230246AbhFBOht (ORCPT ); Wed, 2 Jun 2021 10:37:49 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 152EYRKN180000; Wed, 2 Jun 2021 10:35:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=yzKYYNpLgG6WmVN4s1YaU80LkoAUSa953OPh2XdLe3o=; b=pKC924DBY6ItA5zT30vrxs989JmgQ4ZoM76kZeNUs9fQA7ayj0FX4m+wK6IkDV3j74Iy JrMWxybNP2zsRYynNmXONLLBnTUCodFIsUm6SlQCooJGNF+GvWzVLnIrNmpwKYU9C4jz Khdue9+CaPl684EWQDZ5pp530phMSEhPbxcBfxLHk9yODSUTuVuZ261XtrTTn1oUo3gu hrQ04p6ZAtzhLNqnxbnXhtZMoQN12Ph9KgJpIlT7PFUihM3lLyGqSHY8vgZdmlzl3+Bf 8kFq2Trqon4X6Lp0EEajdEaplSra4McWD4H1WFCPaQ6dEGz1DrFU2zO1DSPdja4Q4j9N 4g== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 38xbpdgcm8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 10:35:56 -0400 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 152EYVGE180733; Wed, 2 Jun 2021 10:35:55 -0400 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0b-001b2d01.pphosted.com with ESMTP id 38xbpdgckr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 10:35:55 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 152EWjXt028477; Wed, 2 Jun 2021 14:35:55 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma02wdc.us.ibm.com with ESMTP id 38ud89r65f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 14:35:55 +0000 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 152EZsDK6554052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 2 Jun 2021 14:35:54 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9277E124052; Wed, 2 Jun 2021 14:35:54 +0000 (GMT) Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8373312405B; Wed, 2 Jun 2021 14:35:54 +0000 (GMT) Received: from localhost.localdomain (unknown [9.47.158.152]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 2 Jun 2021 14:35:54 +0000 (GMT) From: Stefan Berger To: jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org Cc: nayna@linux.ibm.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Stefan Berger Subject: [PATCH v5 1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key Date: Wed, 2 Jun 2021 10:35:36 -0400 Message-Id: <20210602143537.545132-2-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210602143537.545132-1-stefanb@linux.ibm.com> References: <20210602143537.545132-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 4VDGT5O215iy2H-2IdxaSy1f5KpVy-lN X-Proofpoint-GUID: fonAFhyLmM8nqiBDPD27yIE5sMjaIEHD X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-06-02_07:2021-06-02,2021-06-02 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1015 malwarescore=0 bulkscore=0 adultscore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106020095 Precedence: bulk List-ID: Address a kbuild issue where a developer created an ECDSA key for signing kernel modules and then builds an older version of the kernel, when bi- secting the kernel for example, that does not support ECDSA keys. If openssl is installed, trigger the creation of an RSA module signing key if it is not an RSA key. Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") Signed-off-by: Stefan Berger Cc: David Howells Cc: David Woodhouse --- certs/Makefile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/certs/Makefile b/certs/Makefile index 359239a0ee9e..72758684d254 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -57,11 +57,19 @@ endif redirect_openssl = 2>&1 quiet_redirect_openssl = 2>&1 silent_redirect_openssl = 2>/dev/null +openssl_available = $(shell openssl help 2>/dev/null && echo yes) # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") + +ifeq ($(openssl_available),yes) +X509TEXT=$(shell openssl x509 -in $(CONFIG_MODULE_SIG_KEY) -text) + +$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY))) +endif + $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." From patchwork Wed Jun 2 14:35:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12294875 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3D23C4709B for ; Wed, 2 Jun 2021 14:36:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E5F2E613BA for ; Wed, 2 Jun 2021 14:36:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231855AbhFBOhx (ORCPT ); Wed, 2 Jun 2021 10:37:53 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:26042 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230239AbhFBOhs (ORCPT ); Wed, 2 Jun 2021 10:37:48 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 152EWmIU147158; Wed, 2 Jun 2021 10:35:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=7qm+iXaeo85lDNxRFciM0bRslS+Wns07kIdl2CR3Gpo=; b=OqhBkA/BtlLMBIUWPcDIftQThEvCwVJyE8SBf9ODEof3E7/PzWeTyzPaDdvsErIyTNkS O1lByUvK6KWdJcE/0L1VBr7J3VurCE0uogiBGmo23PK6JeXu+zB5LXn1h/FmGohRcyRF x4/fk0/zlue9qnxfU+jtWB7ifWJwTRxagE1ScP+tijXkeAp5UBTFlA4/1e+Cj42t5uGu DjmUxVKGeszFXbUtaBHxrPSxxaaIzRRzDbVhCq3mQ7kzO2EZZnCh5t6MlzMiltlNNJ+0 NYzGMq1ru1lRm2B4t55CWZ5C0OAGChIhkFc29kfgSR3IOAhljMLa1zZB+1olIyACxNMg Gw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 38x7kr88wr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 10:35:56 -0400 Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 152EYAGH152920; Wed, 2 Jun 2021 10:35:55 -0400 Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0a-001b2d01.pphosted.com with ESMTP id 38x7kr88wc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 10:35:55 -0400 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 152EVMS2011586; Wed, 2 Jun 2021 14:35:55 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma05wdc.us.ibm.com with ESMTP id 38ud8986ew-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 14:35:55 +0000 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 152EZs6e19333602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 2 Jun 2021 14:35:54 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AC95B124053; Wed, 2 Jun 2021 14:35:54 +0000 (GMT) Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 93164124060; Wed, 2 Jun 2021 14:35:54 +0000 (GMT) Received: from localhost.localdomain (unknown [9.47.158.152]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 2 Jun 2021 14:35:54 +0000 (GMT) From: Stefan Berger To: jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org Cc: nayna@linux.ibm.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Stefan Berger Subject: [PATCH v5 2/2] certs: Add support for using elliptic curve keys for signing modules Date: Wed, 2 Jun 2021 10:35:37 -0400 Message-Id: <20210602143537.545132-3-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210602143537.545132-1-stefanb@linux.ibm.com> References: <20210602143537.545132-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: DiQoddKUzYVWdIosZUMvTxfH5KW99swC X-Proofpoint-ORIG-GUID: Bh1DcqbXKBRhbVoFb4pKVm4QTd164kC5 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-06-02_07:2021-06-02,2021-06-02 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 bulkscore=0 mlxlogscore=999 spamscore=0 clxscore=1015 suspectscore=0 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106020095 Precedence: bulk List-ID: Add support for using elliptic curve keys for signing modules. It uses a NIST P384 (secp384r1) key if the user chooses an elliptic curve key and will have ECDSA support built into the kernel. Note: A developer choosing an ECDSA key for signing modules should still delete the signing key (rm certs/signing_key.*) when building an older version of a kernel that only supports RSA keys. Unless kbuild automati- cally detects and generates a new kernel module key, ECDSA-signed kernel modules will fail signature verification. Signed-off-by: Stefan Berger Cc: David Howells Cc: David Woodhouse --- certs/Kconfig | 26 ++++++++++++++++++++++++++ certs/Makefile | 13 +++++++++++++ crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ 3 files changed, 47 insertions(+) diff --git a/certs/Kconfig b/certs/Kconfig index f4e61116f94e..916cbb1af928 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -15,6 +15,32 @@ config MODULE_SIG_KEY then the kernel will automatically generate the private key and certificate as described in Documentation/admin-guide/module-signing.rst +choice + prompt "Type of module signing key to be generated" + default MODULE_SIG_KEY_TYPE_RSA + help + The type of module signing key type to generate. This option + does not apply if a #PKCS11 URI is used. + +config MODULE_SIG_KEY_TYPE_RSA + bool "RSA" + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) + help + Use an RSA key for module signing. + +config MODULE_SIG_KEY_TYPE_ECDSA + bool "ECDSA" + select CRYPTO_ECDSA + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) + help + Use an elliptic curve key (NIST P384) for module signing. Consider + using a strong hash like sha256 or sha384 for hashing modules. + + Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem, + when falling back to building Linux 5.11 and older kernels. + +endchoice + config SYSTEM_TRUSTED_KEYRING bool "Provide system-wide ring of trusted keys" depends on KEYS diff --git a/certs/Makefile b/certs/Makefile index 72758684d254..4eb69bdadc79 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -66,9 +66,21 @@ ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") ifeq ($(openssl_available),yes) X509TEXT=$(shell openssl x509 -in $(CONFIG_MODULE_SIG_KEY) -text) +endif +# Support user changing key type +ifdef CONFIG_MODULE_SIG_KEY_TYPE_ECDSA +keytype_openssl = -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 +ifeq ($(openssl_available),yes) +$(if $(findstring id-ecPublicKey,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY))) +endif +endif # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA + +ifdef CONFIG_MODULE_SIG_KEY_TYPE_RSA +ifeq ($(openssl_available),yes) $(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY))) endif +endif # CONFIG_MODULE_SIG_KEY_TYPE_RSA $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @@ -83,6 +95,7 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey -batch -x509 -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.pem \ -keyout $(obj)/signing_key.pem \ + $(keytype_openssl) \ $($(quiet)redirect_openssl) @$(kecho) "###" @$(kecho) "### Key pair generated." diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c index 967329e0a07b..6592279d839a 100644 --- a/crypto/asymmetric_keys/pkcs7_parser.c +++ b/crypto/asymmetric_keys/pkcs7_parser.c @@ -269,6 +269,14 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen, ctx->sinfo->sig->pkey_algo = "rsa"; ctx->sinfo->sig->encoding = "pkcs1"; break; + case OID_id_ecdsa_with_sha1: + case OID_id_ecdsa_with_sha224: + case OID_id_ecdsa_with_sha256: + case OID_id_ecdsa_with_sha384: + case OID_id_ecdsa_with_sha512: + ctx->sinfo->sig->pkey_algo = "ecdsa"; + ctx->sinfo->sig->encoding = "x962"; + break; default: printk("Unsupported pkey algo: %u\n", ctx->last_oid); return -ENOPKG;