From patchwork Tue Mar 9 09:10:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 396175 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD36EC433DB for ; Tue, 9 Mar 2021 09:12:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8DDEE65130 for ; Tue, 9 Mar 2021 09:12:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229730AbhCIJLx (ORCPT ); Tue, 9 Mar 2021 04:11:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229813AbhCIJLV (ORCPT ); Tue, 9 Mar 2021 04:11:21 -0500 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70620C06174A; Tue, 9 Mar 2021 01:11:21 -0800 (PST) Received: by mail-pj1-x102c.google.com with SMTP id kx1so556394pjb.3; Tue, 09 Mar 2021 01:11:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7xtegNsLq1BrppoFpeV19FwALB/ET7XzOcPVqqrlNjU=; b=edDsIgGGJzTETG5MBhlGenarTsbp6v55Ik8a6T3Utl3BDh5aF9FFvIVTodD1WUcNUc v0rtGy5FhpIiuIjcHTL4CR9Pb9HkEpTHAKRY3j7l/Tytrpga3W7qOqqgoKjaTcyMxcHF 8q34HXMg9nkLEWllH15TURJvWG2/N8kHvoCkr7HboMb9NDcOhiUFHz5cKl9/Uhm8CWwz cmP52D+iccP0+BJAHwiYSWAGIdq4LboV3zRbqQA0wMblG7nkoOKFMLnSke415uCFAShy Z/2jXfbchETOYp4MB7gwqZ1aWzXl3YSfU4InKQe2kn/g/viCYYoT1kcOOs2fksPhZ90L fQ/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7xtegNsLq1BrppoFpeV19FwALB/ET7XzOcPVqqrlNjU=; b=UuT9MWw8QBGfP+2ateosbEaMIaB9JqGLTPiUJgwE7I49UYRApvAeYyZtwcz5+JPO5u EkxoQeNfuI4SNQJrqvGFJ/BqrrLNRaPZovGC3kKyQeZyoy/cW5hvbd6jC9J6UY4TNvWm QgJVEgnB+ZNfRM4ST88d7idiDnGJo6lAETUzVQA5MnfcGUcFlGnPP+MslF+ijD/QS4Yx l5/iK5xYuRnT1ORFvJr2MyL+/kRruEPp4Ue1t8a0Xe7kr8oV8+KKzHaryJVpynZc6Vju n1GD329MgiV9B0CbyYO9blVIBrDNyqLbiRn+yAea9fDeDVDYhvG7Eai+ReN6PhfnNgSo Vpxg== X-Gm-Message-State: AOAM530ABkdaTbkaur1RlW76hR7wtOVmkVSpv3M27wVhF1l8MdvuRe7m FTjGCib2VYddzIeDnY4dLPs= X-Google-Smtp-Source: ABdhPJz5Zk98uMK/QSb8hOiSSb/CJitpngt7KOMr9B6PX7v7JGnKKl/S2Hqi/4nyxmbVn0UWPLXMfA== X-Received: by 2002:a17:90a:6282:: with SMTP id d2mr3530298pjj.168.1615281081061; Tue, 09 Mar 2021 01:11:21 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id js16sm2094860pjb.21.2021.03.09.01.11.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Mar 2021 01:11:20 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 1/4] X.509: Add CodeSigning extended key usage parsing Date: Tue, 9 Mar 2021 17:10:41 +0800 Message-Id: <20210309091044.2298-2-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210309091044.2298-1-jlee@suse.com> References: <20210309091044.2298-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org This patch adds the logic for parsing the CodeSign extended key usage extension in X.509. The parsing result will be set to the eku flag which is carried by public key. It can be used in the PKCS#7 verification. Signed-off-by: "Lee, Chun-Yi" --- crypto/asymmetric_keys/x509_cert_parser.c | 24 ++++++++++++++++++++++++ include/crypto/public_key.h | 1 + include/linux/oid_registry.h | 5 +++++ 3 files changed, 30 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 52c9b455fc7d..65721313b265 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -497,6 +497,8 @@ int x509_process_extension(void *context, size_t hdrlen, struct x509_parse_context *ctx = context; struct asymmetric_key_id *kid; const unsigned char *v = value; + int i = 0; + enum OID oid; pr_debug("Extension: %u\n", ctx->last_oid); @@ -526,6 +528,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_extKeyUsage) { + if (v[0] != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ) || + v[1] != vlen - 2) + return -EBADMSG; + i += 2; + + while (i < vlen) { + /* A 10 bytes EKU OID Octet blob = + * ASN1_OID + size byte + 8 bytes OID */ + if (v[i] != ASN1_OID || v[i + 1] != 8 || (i + 10) > vlen) + return -EBADMSG; + + oid = look_up_OID(v + i + 2, v[i + 1]); + if (oid == OID_codeSigning) { + ctx->cert->pub->eku |= EKU_codeSigning; + } + i += 10; + } + pr_debug("extKeyUsage: %d\n", ctx->cert->pub->eku); + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..1ccaebe2a28b 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,7 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned int eku : 9; /* Extended Key Usage (9-bit) */ }; extern void public_key_free(struct public_key *key); diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index 4462ed2c18cd..e20e8eb53b21 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -113,9 +113,14 @@ enum OID { OID_SM2_with_SM3, /* 1.2.156.10197.1.501 */ OID_sm3WithRSAEncryption, /* 1.2.156.10197.1.504 */ + /* Extended key purpose OIDs [RFC 5280] */ + OID_codeSigning, /* 1.3.6.1.5.5.7.3.3 */ + OID__NR }; +#define EKU_codeSigning (1 << 2) + extern enum OID look_up_OID(const void *data, size_t datasize); extern int sprint_oid(const void *, size_t, char *, size_t); extern int sprint_OID(enum OID, char *, size_t); From patchwork Tue Mar 9 09:10:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 396881 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFDD2C4332E for ; Tue, 9 Mar 2021 09:12:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 95E6865134 for ; Tue, 9 Mar 2021 09:12:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229813AbhCIJLy (ORCPT ); Tue, 9 Mar 2021 04:11:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229881AbhCIJLY (ORCPT ); Tue, 9 Mar 2021 04:11:24 -0500 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E069C06174A; Tue, 9 Mar 2021 01:11:23 -0800 (PST) Received: by mail-pj1-x1030.google.com with SMTP id cl21-20020a17090af695b02900c61ac0f0e9so694894pjb.1; Tue, 09 Mar 2021 01:11:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=3jn01rfak00HumWqfPS+bL637Js5LvIW2OJzeMurQFU=; b=LamV33tyeHMdFMfQxIpS1ajCBd+iMj+xvwxqDF69aNw2moF5n0VgV/E4f3opbexC2x cZkNnkghu5XBUzzuRZpWbzWL5V5qbl4nhxqV+hGDmG5X/EdvNzcoS08U9GtYMNzZ3nKt 1LTa0xkw2aqrM+gxo9w6Dlxcri+/DWECCY0j+vqtAh0D29f/S3Qs57SWiwwpKN+/BLIl nRK72wFjTmZxbBItZoV+C+H30hvWpJxIFaY1Ic+99NFwGqCHFlNXMsITFwpyeJ8M+XKs i76iCbqDFSxl2T1fLM2m62oSgOZS0t8LLJDPe5BBoB5q6URUBKqLeE7amDneXtPb5XAr 0P7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=3jn01rfak00HumWqfPS+bL637Js5LvIW2OJzeMurQFU=; b=VjaxX6jh5q+LOncNhfFvn5GDokCbN54v8kcdLwFhTuSRd9P/w6ikaO2QgLbwHYb0oR rDKGr9gJoPmR5NEbZN03FIFtLLAWQHmxO16n+tf6EMMEUZJeJ17bB1OmyIqxI3VcFxDP +BRoruCB0CUUhKlyka4lfBKQZ9iygCEpRlfL46IXmUcaS6zL9JC1DkoFKy4d8U8eS/75 iApJTOq1ZLDjXGgJhEVfyLDoWET6UrCDYiNy8NxreHZSHcNfuTKRppmVcE/zMehDEbQy +nownMMeMOb4wZsOi3+yvWtX6Ant49G1qGbV9j9wBIarsMOs4aRoj7z3qSdAFLAb9zPj YDKQ== X-Gm-Message-State: AOAM533zfpiNvj+/LUpnVPNu0js1VDdaY0ek/XxqDLXBmO86APErSOz5 lvVQ3S3b3g3TPZGc1DRreTM= X-Google-Smtp-Source: ABdhPJzw4te7O4PGbKKdkSwmkVQWB9/ygiKGoVPEsRk2B6aEcVUHJJ8WKmbwClnSHngPxf4nJvFmOw== X-Received: by 2002:a17:90b:1c0e:: with SMTP id oc14mr3633043pjb.188.1615281083237; Tue, 09 Mar 2021 01:11:23 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id js16sm2094860pjb.21.2021.03.09.01.11.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Mar 2021 01:11:22 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Date: Tue, 9 Mar 2021 17:10:42 +0800 Message-Id: <20210309091044.2298-3-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210309091044.2298-1-jlee@suse.com> References: <20210309091044.2298-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org This patch adds the logic for checking the CodeSigning extended key usage when verifying signature of kernel module or kexec PE binary in PKCS#7. Signed-off-by: "Lee, Chun-Yi" --- certs/system_keyring.c | 2 +- crypto/asymmetric_keys/Kconfig | 9 +++++++++ crypto/asymmetric_keys/pkcs7_trust.c | 37 +++++++++++++++++++++++++++++++++--- include/crypto/pkcs7.h | 3 ++- 4 files changed, 46 insertions(+), 5 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 4b693da488f1..c9f8bca0b0d3 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -243,7 +243,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len, goto error; } } - ret = pkcs7_validate_trust(pkcs7, trusted_keys); + ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage); if (ret < 0) { if (ret == -ENOKEY) pr_devel("PKCS#7 signature not signed with a trusted key\n"); diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 1f1f004dc757..1754812df989 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -96,4 +96,13 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. +config CHECK_CODESIGN_EKU + bool "Check codeSigning extended key usage" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION + help + This option provides support for checking the codeSigning extended + key usage when verifying the signature in PKCS#7. It affects kernel + module verification and kexec PE binary verification. + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index b531df2013c4..077bfef928b6 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -16,12 +16,36 @@ #include #include "pkcs7_parser.h" +#ifdef CONFIG_CHECK_CODESIGN_EKU +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + struct public_key *public_key = key->payload.data[asym_crypto]; + + switch (usage) { + case VERIFYING_MODULE_SIGNATURE: + case VERIFYING_KEXEC_PE_SIGNATURE: + return !!(public_key->eku & EKU_codeSigning); + default: + break; + } + return true; +} +#else +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + return true; +} +#endif + /* * Check the trust on one PKCS#7 SignedInfo block. */ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct public_key_signature *sig = sinfo->sig; struct x509_certificate *x509, *last = NULL, *p; @@ -112,6 +136,12 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return -ENOKEY; matched: + if (!check_codesign_eku(key, usage)) { + pr_warn("sinfo %u: The signer %x key is not CodeSigning\n", + sinfo->index, key_serial(key)); + key_put(key); + return -ENOKEY; + } ret = verify_signature(key, sig); key_put(key); if (ret < 0) { @@ -156,7 +186,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * May also return -ENOMEM. */ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct pkcs7_signed_info *sinfo; struct x509_certificate *p; @@ -167,7 +198,7 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, p->seen = false; for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { - ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring); + ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring, usage); switch (ret) { case -ENOKEY: continue; diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..b3b48240ba73 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -30,7 +30,8 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, * pkcs7_trust.c */ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring); + struct key *trust_keyring, + enum key_being_used_for usage); /* * pkcs7_verify.c From patchwork Tue Mar 9 09:10:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 396174 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 104E0C43333 for ; Tue, 9 Mar 2021 09:12:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CCF646513E for ; Tue, 9 Mar 2021 09:12:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230027AbhCIJLz (ORCPT ); Tue, 9 Mar 2021 04:11:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46066 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230035AbhCIJLa (ORCPT ); Tue, 9 Mar 2021 04:11:30 -0500 Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B0B3C06174A; Tue, 9 Mar 2021 01:11:30 -0800 (PST) Received: by mail-pf1-x431.google.com with SMTP id t85so3768681pfc.13; Tue, 09 Mar 2021 01:11:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=QytjAJtOx4I9dfHfggs5vaGHYdTZvLqDyfwbAQPftuk=; b=nSIvOGb6tSCjl8BQSt7eWgl//EkVoKhdJMfrQGwR0QS5gAAbCkuuyhV1Mwe/g+BY/8 Iy8pUA604rKGXX8TKh6nEm/+pStveBGKpMCxdqpHd/fJQVCRrjG7ODylW1bGm7pHnMfX ysZZWqZ1qNtW+zs8Icm/ndLnizaH6hBXCSX84U2UiNG6unaF8tZ4hFC+SO5Vv2EoITEX M6uMZcR6TKSahCjE/K/t8jbuDO81eWrzv9dfbRCBkp6Q1gi2dWv4f/sQfmbQgEH7Z+s7 VWwDoB8RYR27rqoV/NIvmDrxEi5IWxNVbWpCrwM2UyrIPhech3r/zP4Deaiin5TzBaE9 rmxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=QytjAJtOx4I9dfHfggs5vaGHYdTZvLqDyfwbAQPftuk=; b=s+pIj7jPYnj8XVC2tj/3h1k7TaCzDvjbjxYjDMAJL3kfS1sH2+3H4xL0i5bOAWmB3x 1j1FkEh1tvJ1Ce4sNyHjBVH1/7KrH0PmpyEXgMnrZum68hS/Muo+ZPeZ7bNPpobeYrdj Mbf0xtpRcgLQZT6i6FsNHvx6IEmTx8ed83XH2nMprAoBrYtijOkFBn1Eog4mm4NJ/opR igNTbzUFvdARA+Sz2EUZvVqmVHFwhh1lkD4axj1XDD9o/d5a4LsMZTcSNNS/WpeWxkiu YCqiqT7k8T+ft0hEPbH23vipuGfA7i4YLDckGE3A0LwXhcBtph/P4S0XiKGIIa6HDjGk CDig== X-Gm-Message-State: AOAM531O9b3CkVKE9gECK8SNJXEo9W3D1FVtIQUku5rerKKBfEoHOfmA BRyVEatfV7yS4JWkYulPVEw= X-Google-Smtp-Source: ABdhPJy3C0f3UgsS7MmGuwLZomizZ0NzjpPvyjFQcXLxJQHl/Tgb5Ixaf18ACIDmJOL6N4qCbvrIsA== X-Received: by 2002:a63:5b0e:: with SMTP id p14mr23981985pgb.110.1615281089934; Tue, 09 Mar 2021 01:11:29 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id js16sm2094860pjb.21.2021.03.09.01.11.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Mar 2021 01:11:29 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 3/4] modsign: Add codeSigning EKU when generating X.509 key generation config Date: Tue, 9 Mar 2021 17:10:43 +0800 Message-Id: <20210309091044.2298-4-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210309091044.2298-1-jlee@suse.com> References: <20210309091044.2298-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add codeSigning EKU to the X.509 key generation config for the build time autogenerated kernel key. Signed-off-by: "Lee, Chun-Yi" --- certs/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..1ef4d6ca43b7 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -88,6 +88,7 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ "extendedKeyUsage=codeSigning" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) From patchwork Tue Mar 9 09:10:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 396880 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24991C43332 for ; Tue, 9 Mar 2021 09:12:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0701165149 for ; Tue, 9 Mar 2021 09:12:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230070AbhCIJL4 (ORCPT ); Tue, 9 Mar 2021 04:11:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230045AbhCIJLc (ORCPT ); Tue, 9 Mar 2021 04:11:32 -0500 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 846D0C06174A; Tue, 9 Mar 2021 01:11:32 -0800 (PST) Received: by mail-pg1-x530.google.com with SMTP id p21so8346235pgl.12; Tue, 09 Mar 2021 01:11:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wB1I6Nqq7AfdRuGhioLL2RWvT/EvSUrtBmeOoGNpC4c=; b=e6FOS+NacLfH/xWKXxkeAAl8YYsBU2mL4UMX6ikAkgoSs8yPJVmUIHx4/QxTYE7fw0 w1ZHyv2GTZ/sZH0ktGLEAcY9a6ElhPgegk3vcOiSJ59PQbnGcuBEFKe6ix5bDKH60vTd ohs2TH4haNKwYDw8GY3L6JlMx2FWPsr52kbeGiLqCmYqEL/tp+s3Bpyh9FblH9Ba6dKs lEcuLqrhCNP20MShXa2M3UJkt387aYsqSMbnTFOQv8I4leMji6uZ/F5vPbZ8P7XG0qf5 nDMdjI6r3ElkvoHfOay4uOTrV+d41TqT/cdppn1HaCzE5kO+KET84M7lFqb0X0/pCkdh e9yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=wB1I6Nqq7AfdRuGhioLL2RWvT/EvSUrtBmeOoGNpC4c=; b=aqn6uIwCULQHA4eeUsSf0Yzbh95pNyTABmcMFNW9y1TDsZA4lo4nABTTcpDL7242ar i9q32839fBhhElCQ+YYFxwQdKMDk1aDJ0Jg5PXWh6l85xwruqC4g8ep9HCO6tYJqWNDg o/c3942p+bh0EYXWSYFPE1DWAls9kS6Ej+Bz3ZnhMLWdwX8KCrjRST+hCXEqPYzJNMSV XGcsiuqV/WtSVFBYS0dcY2FNf9PwO1Yp/mHSMfAP+MJ6IyBVpkUwjLKrR4m54xrtFmzH bbzd3PFqi41gJeYq2gxloSuJn/thK7buf3ZXmYfzdogp07vL9rSfIeLm+Pdq+sWdu+jE ca+Q== X-Gm-Message-State: AOAM530MFH+ZI9WPCasY6G7wkwgiznCgQmCxav0iVhfoMurWXjDaxgnh j6Yt5JJHsdtML1diiAUc/Bw= X-Google-Smtp-Source: ABdhPJy79MblW78n0Euz3R9cSKXRk+Qbo1KkS1pr1AsyVwJFY6AjUqYDYZLO4jOyJPm0b9F9vDFHYw== X-Received: by 2002:a63:c0a:: with SMTP id b10mr24874934pgl.251.1615281092137; Tue, 09 Mar 2021 01:11:32 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id js16sm2094860pjb.21.2021.03.09.01.11.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Mar 2021 01:11:31 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU Date: Tue, 9 Mar 2021 17:10:44 +0800 Message-Id: <20210309091044.2298-5-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210309091044.2298-1-jlee@suse.com> References: <20210309091044.2298-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add an openssl command option example for generating CodeSign extended key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU is enabled. Signed-off-by: "Lee, Chun-Yi" --- Documentation/admin-guide/module-signing.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst index 7d7c7c8a545c..ca3b8f19466c 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -170,6 +170,12 @@ generate the public/private key files:: -config x509.genkey -outform PEM -out kernel_key.pem \ -keyout kernel_key.pem +When ``CONFIG_CHECK_CODESIGN_EKU`` option is enabled, the following openssl +command option should be added where for generating CodeSign extended key usage +in X.509:: + + -addext "extendedKeyUsage=codeSigning" + The full pathname for the resulting kernel_key.pem file can then be specified in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will be used instead of an autogenerated keypair.