From patchwork Fri May 21 09:42:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 445984 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09938C43460 for ; Fri, 21 May 2021 09:43:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E2593613CC for ; Fri, 21 May 2021 09:43:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237059AbhEUJoq (ORCPT ); Fri, 21 May 2021 05:44:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237033AbhEUJoh (ORCPT ); Fri, 21 May 2021 05:44:37 -0400 Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EA0DC061763; Fri, 21 May 2021 02:43:13 -0700 (PDT) Received: by mail-pg1-x533.google.com with SMTP id f22so12856458pgb.9; Fri, 21 May 2021 02:43:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yT6CAnQjd1D49HHgiYY1r24DT674aBCTUWawwoMceAU=; b=Nu8bsfX+8IcYLqpc3IEVwhRxGZ6nnqLeSoEdq6WpPFyzi3By7rvc9JMGQ0mAjYDBXs IaZ+8jDTeXzqK8zdq/4WINzXC3ycE+nxiKtihlPcQoKbGMtvy8N2ljRE2h7nOQd2aIlE 0OW2vYFYtFJeLADJCM6dQRHP0tnO/3UJ7ZXQ/dIcDZecBBb5tIcobdZhN55j6+pl0Kt+ fFkLp56SQv2ADRmzArQWrb+CXqLyPAXoTLjnI10hgQzAWe9v/LCeLnLLPteyc1SvSJou 4xAnPpJCNjhDsTgxQOdbAlieNMvRHraPcNmpJRS96EN2W85exaUypRkeFEczeGdcMcLc Y1aQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yT6CAnQjd1D49HHgiYY1r24DT674aBCTUWawwoMceAU=; b=kEjiJICgq5QuHk42ntolEHAFjANESBlYQDEVeyPw2bjeZTICGy0txq0TqfenJKvMDH yarC1qfD/70XuG3oTqUMxKNDnXTC6ht1HCZpaOk5goJcwquzTejmGqmKSBSnbysDMC9q ZTZ/HHJY40YhvUpGLL24g0j5DEnS0EN3BTs8a1rJBEzFOPhE58OQqIF1rU6QW/hmHL3H vr3YQWhzlPx5O485+3LkdMw1//ab432ZjpXxmbPDRHkp2weYsChBs4vt7lNuKGa0s6Bm 1eqI+Mmc2d+4hYxNkHmoksNSBQaAP8rcDWeStOc8feqdeXqOnqEp3Xj1rBvkBvMTuQWW Aqeg== X-Gm-Message-State: AOAM531uEN+1Y5khZGRWB3CurA+KDTm+fz2jeuz/n9EErzrPaBMAjyfY Had1ScF701rYUPNh7AJdiCM= X-Google-Smtp-Source: ABdhPJywG0rIjFot4aTRs7ECgsHzH2YWw4/t6AWlpnb9oiRW3ZQQsDW9ZzYwYrI75lqIWmpzpGk8XA== X-Received: by 2002:a05:6a00:1509:b029:2de:6765:276b with SMTP id q9-20020a056a001509b02902de6765276bmr9443966pfu.67.1621590192965; Fri, 21 May 2021 02:43:12 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id g202sm4091931pfb.54.2021.05.21.02.43.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 May 2021 02:43:12 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , Varad Gautam , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v7,1/4] X.509: Add CodeSigning extended key usage parsing Date: Fri, 21 May 2021 17:42:17 +0800 Message-Id: <20210521094220.1238-2-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210521094220.1238-1-jlee@suse.com> References: <20210521094220.1238-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org This patch adds the logic for parsing the CodeSign extended key usage extension in X.509. The parsing result will be set to the eku flag which is carried by public key. It can be used in the PKCS#7 verification. Signed-off-by: "Lee, Chun-Yi" --- crypto/asymmetric_keys/x509_cert_parser.c | 25 +++++++++++++++++++++++++ include/crypto/public_key.h | 1 + include/linux/oid_registry.h | 5 +++++ 3 files changed, 31 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 6d003096b5bc..996db9419474 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -542,6 +542,8 @@ int x509_process_extension(void *context, size_t hdrlen, struct x509_parse_context *ctx = context; struct asymmetric_key_id *kid; const unsigned char *v = value; + int i = 0; + enum OID oid; pr_debug("Extension: %u\n", ctx->last_oid); @@ -571,6 +573,29 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_extKeyUsage) { + if (vlen < 2 || + v[0] != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ) || + v[1] != vlen - 2) + return -EBADMSG; + i += 2; + + while (i < vlen) { + /* A 10 bytes EKU OID Octet blob = + * ASN1_OID + size byte + 8 bytes OID */ + if ((i + 10) > vlen || v[i] != ASN1_OID || v[i + 1] != 8) + return -EBADMSG; + + oid = look_up_OID(v + i + 2, v[i + 1]); + if (oid == OID_codeSigning) { + ctx->cert->pub->eku |= EKU_codeSigning; + } + i += 10; + } + pr_debug("extKeyUsage: %d\n", ctx->cert->pub->eku); + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..1ccaebe2a28b 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,7 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned int eku : 9; /* Extended Key Usage (9-bit) */ }; extern void public_key_free(struct public_key *key); diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index 461b7aa587ba..8c8935f0eb73 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -125,9 +125,14 @@ enum OID { OID_TPMImportableKey, /* 2.23.133.10.1.4 */ OID_TPMSealedData, /* 2.23.133.10.1.5 */ + /* Extended key purpose OIDs [RFC 5280] */ + OID_codeSigning, /* 1.3.6.1.5.5.7.3.3 */ + OID__NR }; +#define EKU_codeSigning (1 << 2) + extern enum OID look_up_OID(const void *data, size_t datasize); extern int parse_OID(const void *data, size_t datasize, enum OID *oid); extern int sprint_oid(const void *, size_t, char *, size_t); From patchwork Fri May 21 09:42:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 444786 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB3B6C433B4 for ; Fri, 21 May 2021 09:43:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C09B3613C4 for ; Fri, 21 May 2021 09:43:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237003AbhEUJoy (ORCPT ); Fri, 21 May 2021 05:44:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236951AbhEUJol (ORCPT ); Fri, 21 May 2021 05:44:41 -0400 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA5A4C061574; Fri, 21 May 2021 02:43:17 -0700 (PDT) Received: by mail-pl1-x62d.google.com with SMTP id u7so2114105plq.4; Fri, 21 May 2021 02:43:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=d4ttKCOYGlPANGRL5I5eYWePmnjLRicDrCzRRbqf6M0=; b=Yhhh5f5vRcMVPZic8w1VbI5A9ULne9P2DtKDzmZHTtiKVPnH3IJnDrTBuojg5qCaeg dumxD6FZSABTa0rFtj6rI76Mr1wB7kFC5rebpuM8lFH27oA86ahxYQhUH0QrJdrkNOAn oBDnJ122Z+6BlXCPejrFLBs5x4KJxK25WK5QoUMWqSDq5hZOIIS/MVB3LRrlLlAr/3ot 3Y2cr9zEOUh8ar/Kw7NkEF99p+5xbKEzXfq1fyINmr/1G6FQbAjPC6n4r1wy5cmzPp9i t9lS0D3Rli6WsuTY9o+0u4iH3TJXjHtDB3x+ajqZvL4FfcRAWylZbFvJ65OebkMR4djm tcNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=d4ttKCOYGlPANGRL5I5eYWePmnjLRicDrCzRRbqf6M0=; b=crrHPV6MMufwCTZJP4lVpwq5hzGkmlf+IYFclWH+W0e7dIwSBS477lOSXoD2D+Yzxt R8puytKnzAnSLXu/2S9yuIipLS9N9astUOYDR68gLgfyF9L09OunmiQZoK5EOrv0Qves 1n5cdr+BGD6eV7gv3uoZtUS/416qtDtZlsgEuvbyS9weqB8/ghkrCuogfB58uU86lKV8 Wt29l3Npc+rdUjBygbnzjThO1sRTlv2QA3ZSbyHfYOku1MkiKa2Kee47gROK2VGja9AT +H7KAbAPmI8NKvx0iWfgpdz394D42hOrzx1uJiShiw8ODoKWDf5fkO3NuYPRDaVUTtZw L5pw== X-Gm-Message-State: AOAM532bx8NadiaCAc09QPA3HVFcbcBoSmqgqficq6OohhT3SX+I17w1 URhZRj00PM1IG9KfCe8FwK63BEGENS0= X-Google-Smtp-Source: ABdhPJxeasmWBUsCxaCEhBBi9RikRPi8o+jXf0WIwn2/zVBaCb1B0D33BFqjHrE/4EPK53Qe+F5Jgw== X-Received: by 2002:a17:903:2403:b029:ef:9419:b914 with SMTP id e3-20020a1709032403b02900ef9419b914mr11162027plo.59.1621590197307; Fri, 21 May 2021 02:43:17 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id g202sm4091931pfb.54.2021.05.21.02.43.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 May 2021 02:43:17 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , Varad Gautam , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v7, 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Date: Fri, 21 May 2021 17:42:18 +0800 Message-Id: <20210521094220.1238-3-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210521094220.1238-1-jlee@suse.com> References: <20210521094220.1238-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org This patch adds the logic for checking the CodeSigning extended key usage when verifying signature of kernel module or kexec PE binary in PKCS#7. Signed-off-by: "Lee, Chun-Yi" Reported-by: kernel test robot Reported-by: kernel test robot --- certs/blacklist.c | 6 +++-- certs/system_keyring.c | 4 ++-- crypto/asymmetric_keys/Kconfig | 9 ++++++++ crypto/asymmetric_keys/pkcs7_trust.c | 43 +++++++++++++++++++++++++++++++++--- include/crypto/pkcs7.h | 4 +++- include/keys/system_keyring.h | 7 ++++-- 6 files changed, 63 insertions(+), 10 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index c9a435b15af4..a4ef26286584 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -16,6 +16,7 @@ #include #include #include +#include #include "blacklist.h" #include "common.h" @@ -181,11 +182,12 @@ int add_key_to_revocation_list(const char *data, size_t size) * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked * @pkcs7: The PKCS#7 message to check */ -int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +int is_key_on_revocation_list(struct pkcs7_message *pkcs7, + enum key_being_used_for usage) { int ret; - ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); + ret = pkcs7_validate_trust(pkcs7, blacklist_keyring, usage, false); if (ret == 0) return -EKEYREJECTED; diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..394cf4e0feed 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -221,13 +221,13 @@ int verify_pkcs7_message_sig(const void *data, size_t len, goto error; } - ret = is_key_on_revocation_list(pkcs7); + ret = is_key_on_revocation_list(pkcs7, usage); if (ret != -ENOKEY) { pr_devel("PKCS#7 platform key is on revocation list\n"); goto error; } } - ret = pkcs7_validate_trust(pkcs7, trusted_keys); + ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage, true); if (ret < 0) { if (ret == -ENOKEY) pr_devel("PKCS#7 signature not signed with a trusted key\n"); diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 1f1f004dc757..1754812df989 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -96,4 +96,13 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. +config CHECK_CODESIGN_EKU + bool "Check codeSigning extended key usage" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION + help + This option provides support for checking the codeSigning extended + key usage when verifying the signature in PKCS#7. It affects kernel + module verification and kexec PE binary verification. + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index b531df2013c4..c6ebf3e6adfd 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -16,12 +16,40 @@ #include #include "pkcs7_parser.h" +#ifdef CONFIG_CHECK_CODESIGN_EKU +static bool check_eku_by_usage(struct key *key, enum key_being_used_for usage) +{ + struct public_key *public_key = key->payload.data[asym_crypto]; + bool ret = true; + + switch (usage) { + case VERIFYING_MODULE_SIGNATURE: + case VERIFYING_KEXEC_PE_SIGNATURE: + ret = !!(public_key->eku & EKU_codeSigning); + if (!ret) + pr_warn("The signer '%s' key is not CodeSigning\n", + key->description); + break; + default: + break; + } + return ret; +} +#else +static bool check_eku_by_usage(struct key *key, enum key_being_used_for usage) +{ + return true; +} +#endif + /* * Check the trust on one PKCS#7 SignedInfo block. */ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage, + bool check_eku) { struct public_key_signature *sig = sinfo->sig; struct x509_certificate *x509, *last = NULL, *p; @@ -112,6 +140,10 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return -ENOKEY; matched: + if (check_eku && !check_eku_by_usage(key, usage)) { + key_put(key); + return -ENOKEY; + } ret = verify_signature(key, sig); key_put(key); if (ret < 0) { @@ -135,6 +167,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * pkcs7_validate_trust - Validate PKCS#7 trust chain * @pkcs7: The PKCS#7 certificate to validate * @trust_keyring: Signing certificates to use as starting points + * @usage: The use to which the key is being put. + * @check_eku: Check EKU (Extended Key Usage) * * Validate that the certificate chain inside the PKCS#7 message intersects * keys we already know and trust. @@ -156,7 +190,9 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * May also return -ENOMEM. */ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage, + bool check_eku) { struct pkcs7_signed_info *sinfo; struct x509_certificate *p; @@ -167,7 +203,8 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, p->seen = false; for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { - ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring); + ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring, + usage, check_eku); switch (ret) { case -ENOKEY: continue; diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..5d87b8a02f79 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -30,7 +30,9 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, * pkcs7_trust.c */ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring); + struct key *trust_keyring, + enum key_being_used_for usage, + bool check_eku); /* * pkcs7_verify.c diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..3da982c3aef5 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -9,6 +9,7 @@ #define _KEYS_SYSTEM_KEYRING_H #include +#include #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING @@ -59,13 +60,15 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) #ifdef CONFIG_SYSTEM_REVOCATION_LIST extern int add_key_to_revocation_list(const char *data, size_t size); -extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7, + enum key_being_used_for usage); #else static inline int add_key_to_revocation_list(const char *data, size_t size) { return 0; } -static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7, + enum key_being_used_for usage); { return -ENOKEY; } From patchwork Fri May 21 09:42:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 445983 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32289C43462 for ; Fri, 21 May 2021 09:43:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 179F4613CE for ; Fri, 21 May 2021 09:43:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237022AbhEUJoz (ORCPT ); Fri, 21 May 2021 05:44:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33522 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237035AbhEUJoq (ORCPT ); Fri, 21 May 2021 05:44:46 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05C48C061763; Fri, 21 May 2021 02:43:22 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id s19so12264178pfe.8; Fri, 21 May 2021 02:43:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=3fW/X6CDJun4GeFDv0qlSVaN/oKNmuZ2pQXfLhoe16g=; b=gD3+4cZ8CRKAcMPUBXx20jePFWmgOvIuBv3E0pzISRwlYlnNIDp2M2qEIsuTzwKFzo LeSClkpVUCHvB46vWLZMDGrkAT9TrECfzr8YTTZTqWJH/6evdKC0rxBr3Mp1EUfuiT9t f5ru9/mSezvHZdcIqJ7gotVvPKHRQfCxjwidv2AAZ2ERInoWuSpNNSIIdNPxRAab4b7O n1hx6MhJ4pvJUaR/lXUVXNG1LDQPt9V9IR9IJWBdeP2pkV6S7RspRlkv5uM8tSMrhF+d 2AEHEM7n43dBi+y4lAyTp5sxJIuG9taVAC+bPuo3LLGgQTZmg/LAuy2Y5LKN9xR1oXou fI5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=3fW/X6CDJun4GeFDv0qlSVaN/oKNmuZ2pQXfLhoe16g=; b=bGwncF+9f3T43MYGSLYG/y3UyWgEvf3Y8QwxoG9Wwomo2QxY3PJX2ipbytTAKBrJfg rgI3JW8We8jkt7YIWd+vKkxF9Kwe7Xdua8nXhEYTL9fCcUWsr40OJqws6rn2jGhJwbjt qiAqrhMNLcx88DAdcAyRCpgdcrXzPc6xjK60TCl0DxgM0oucDfE6FBFkoiiu+zkyBrx9 HmSkKa6jejLSnSm0ST6HWG0qU/A97AKbJ1gLjo0qpqZpc++i6yrAI4AN0aKHd4BZMC9r o3shLBFrght/WoKAbJEpqc8bcZl9xZa9CQM9HSRnC7xLFXMQM+x9RodZgbFeEAzxDXGP GKyQ== X-Gm-Message-State: AOAM531FboH4ggjVNsx1nMaRDoFC+qeXwhE1nzMJd6pntoF3xpFnW+g7 fZjscJgJ+1+Yxhf5gNSGIiQ= X-Google-Smtp-Source: ABdhPJwXtId1F8P4UAPWrmS7KHVQHIYF8BWeqgqGYmJa5CUD+4uNQtGHH4vO8PNcn2ldWPrPev8cEQ== X-Received: by 2002:aa7:8d46:0:b029:2de:75aa:1964 with SMTP id s6-20020aa78d460000b02902de75aa1964mr9363367pfe.61.1621590201641; Fri, 21 May 2021 02:43:21 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id g202sm4091931pfb.54.2021.05.21.02.43.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 May 2021 02:43:21 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , Varad Gautam , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v7, 3/4] modsign: Add codeSigning EKU when generating X.509 key generation config Date: Fri, 21 May 2021 17:42:19 +0800 Message-Id: <20210521094220.1238-4-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210521094220.1238-1-jlee@suse.com> References: <20210521094220.1238-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add codeSigning EKU to the X.509 key generation config for the build time autogenerated kernel key. Signed-off-by: "Lee, Chun-Yi" --- certs/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/Makefile b/certs/Makefile index 359239a0ee9e..278e83d23aeb 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -99,6 +99,7 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ "extendedKeyUsage=codeSigning" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) From patchwork Fri May 21 09:42:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 444785 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51BF6C433B4 for ; Fri, 21 May 2021 09:43:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 39D68611AD for ; Fri, 21 May 2021 09:43:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237137AbhEUJpI (ORCPT ); Fri, 21 May 2021 05:45:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236992AbhEUJot (ORCPT ); Fri, 21 May 2021 05:44:49 -0400 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 347D6C06138A; Fri, 21 May 2021 02:43:26 -0700 (PDT) Received: by mail-pj1-x102f.google.com with SMTP id n6-20020a17090ac686b029015d2f7aeea8so7045442pjt.1; Fri, 21 May 2021 02:43:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wB1I6Nqq7AfdRuGhioLL2RWvT/EvSUrtBmeOoGNpC4c=; b=VbK2759OZmIs9Uj0BIE0/1K+PyTaHDk8/CI8o3Tw9RUf+sUBvzmx1RoZwmvicUB8w4 cWUL/ZsVw7vRAmJCvC4VhiNIsSJRQYYsikPH6qbaYHehkr0CRO3OKSWQxKmb6zy+k6jm jmZLloCR6zNCS2dzvfta5Jlm3frNi9a9FJnChKYfQXIYxFtdQHOhyNC4W+22ellojM20 Skq4dskAHXfBTFP6QuWtxAdAZbRnm6c/0uXkqiRgyKhoOkRcQpDO35mGSUT2woUaI93t pKaSEnyq6hnVfe6qP/aGIx9o4jpQaixTfGMp/HVZ2jqtXEZsvZeYRLHo+41MajnhD45k 4Njw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=wB1I6Nqq7AfdRuGhioLL2RWvT/EvSUrtBmeOoGNpC4c=; b=Hicv8axTr9OQEE1po/qjDXs/KlQtNCvDljzxgnbxl19mCVKqeMSQPce5A/N69pp+KU heLewmoPvbGNfctNc0NCBHUq7RuGjb5l4ioluhOMgbK+/L6k0Z4shiK0c0KM82wBff+E GG1LWgiYdSJQR22jdrU7zznUx9mR6IQ7v7Ag5UnXHH8Eg35hXvsOtXqjKFZrlZx7rUal 0j0gOnO0GBfuJbee25IC6+Q1vZa3sLzBSGRove3aeIysifJNwgXq3YRm6QcQhmAFQpHL 6SUSjALEuNhY7lCvFveetAl+mBjiIx2z1TDnurQqw8EaaRuOIjNGfPrZFfJbg6AAq6Q/ sQNg== X-Gm-Message-State: AOAM530sIFIpxeVUG1J3gymBdiDRfjlKQGRTa0IOBagTSFBrGxpoC5aI nd395q21aRcd2wOrVDrToJg= X-Google-Smtp-Source: ABdhPJwhX4piJdAwEmZ+oCZlh/WxLpDJi8RzJnOuKqFfzfSMTnqDk3lxHJPub4ud5OefoN4ysVgZjw== X-Received: by 2002:a17:902:a3cd:b029:f3:d14:a17 with SMTP id q13-20020a170902a3cdb02900f30d140a17mr11232820plb.3.1621590205740; Fri, 21 May 2021 02:43:25 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id g202sm4091931pfb.54.2021.05.21.02.43.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 May 2021 02:43:25 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , Varad Gautam , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v7, 4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU Date: Fri, 21 May 2021 17:42:20 +0800 Message-Id: <20210521094220.1238-5-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210521094220.1238-1-jlee@suse.com> References: <20210521094220.1238-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add an openssl command option example for generating CodeSign extended key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU is enabled. Signed-off-by: "Lee, Chun-Yi" --- Documentation/admin-guide/module-signing.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst index 7d7c7c8a545c..ca3b8f19466c 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -170,6 +170,12 @@ generate the public/private key files:: -config x509.genkey -outform PEM -out kernel_key.pem \ -keyout kernel_key.pem +When ``CONFIG_CHECK_CODESIGN_EKU`` option is enabled, the following openssl +command option should be added where for generating CodeSign extended key usage +in X.509:: + + -addext "extendedKeyUsage=codeSigning" + The full pathname for the resulting kernel_key.pem file can then be specified in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will be used instead of an autogenerated keypair.