diff options
| -rw-r--r-- | Documentation/module-signing.txt | 31 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | init/Kconfig | 14 | ||||
| -rw-r--r-- | kernel/Makefile | 5 |
4 files changed, 46 insertions, 6 deletions
diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt index faaa6ea002f7..84597c7ea175 100644 --- a/Documentation/module-signing.txt +++ b/Documentation/module-signing.txt | |||
| @@ -88,6 +88,22 @@ This has a number of options available: | |||
| 88 | than being a module) so that modules signed with that algorithm can have | 88 | than being a module) so that modules signed with that algorithm can have |
| 89 | their signatures checked without causing a dependency loop. | 89 | their signatures checked without causing a dependency loop. |
| 90 | 90 | ||
| 91 | (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY) | ||
| 92 | |||
| 93 | Setting this option to something other than its default of | ||
| 94 | "signing_key.priv" will disable the autogeneration of signing keys and | ||
| 95 | allow the kernel modules to be signed with a key of your choosing. | ||
| 96 | The string provided should identify a file containing a private key | ||
| 97 | in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11 is | ||
| 98 | appropriately installed — a PKCS#11 URI as defined by RFC7512. | ||
| 99 | |||
| 100 | If the PEM file containing the private key is encrypted, or if the | ||
| 101 | PKCS#11 token requries a PIN, this can be provided at build time by | ||
| 102 | means of the KBUILD_SIGN_PIN variable. | ||
| 103 | |||
| 104 | The corresponding X.509 certificate in DER form should still be placed | ||
| 105 | in a file named signing_key.x509 in the top-level build directory. | ||
| 106 | |||
| 91 | 107 | ||
| 92 | ======================= | 108 | ======================= |
| 93 | GENERATING SIGNING KEYS | 109 | GENERATING SIGNING KEYS |
| @@ -100,8 +116,9 @@ it can be deleted or stored securely. The public key gets built into the | |||
| 100 | kernel so that it can be used to check the signatures as the modules are | 116 | kernel so that it can be used to check the signatures as the modules are |
| 101 | loaded. | 117 | loaded. |
| 102 | 118 | ||
| 103 | Under normal conditions, the kernel build will automatically generate a new | 119 | Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its |
| 104 | keypair using openssl if one does not exist in the files: | 120 | default of "signing_key.priv", the kernel build will automatically generate |
| 121 | a new keypair using openssl if one does not exist in the files: | ||
| 105 | 122 | ||
| 106 | signing_key.priv | 123 | signing_key.priv |
| 107 | signing_key.x509 | 124 | signing_key.x509 |
| @@ -135,8 +152,12 @@ kernel sources tree and the openssl command. The following is an example to | |||
| 135 | generate the public/private key files: | 152 | generate the public/private key files: |
| 136 | 153 | ||
| 137 | openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \ | 154 | openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \ |
| 138 | -config x509.genkey -outform DER -out signing_key.x509 \ | 155 | -config x509.genkey -outform PEM -out kernel_key.pem \ |
| 139 | -keyout signing_key.priv | 156 | -keyout kernel_key.pem |
| 157 | |||
| 158 | The full pathname for the resulting kernel_key.pem file can then be specified | ||
| 159 | in the CONFIG_MODULE_SIG_KEY option, and the certificate and key therein will | ||
| 160 | be used instead of an autogenerated keypair. | ||
| 140 | 161 | ||
| 141 | 162 | ||
| 142 | ========================= | 163 | ========================= |
| @@ -181,7 +202,7 @@ To manually sign a module, use the scripts/sign-file tool available in | |||
| 181 | the Linux kernel source tree. The script requires 4 arguments: | 202 | the Linux kernel source tree. The script requires 4 arguments: |
| 182 | 203 | ||
| 183 | 1. The hash algorithm (e.g., sha256) | 204 | 1. The hash algorithm (e.g., sha256) |
| 184 | 2. The private key filename | 205 | 2. The private key filename or PKCS#11 URI |
| 185 | 3. The public key filename | 206 | 3. The public key filename |
| 186 | 4. The kernel module to be signed | 207 | 4. The kernel module to be signed |
| 187 | 208 | ||
| @@ -870,7 +870,7 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4 | |||
| 870 | # export INITRD_COMPRESS := $(INITRD_COMPRESS-y) | 870 | # export INITRD_COMPRESS := $(INITRD_COMPRESS-y) |
| 871 | 871 | ||
| 872 | ifdef CONFIG_MODULE_SIG_ALL | 872 | ifdef CONFIG_MODULE_SIG_ALL |
| 873 | MODSECKEY = ./signing_key.priv | 873 | MODSECKEY = $(CONFIG_MODULE_SIG_KEY) |
| 874 | MODPUBKEY = ./signing_key.x509 | 874 | MODPUBKEY = ./signing_key.x509 |
| 875 | export MODPUBKEY | 875 | export MODPUBKEY |
| 876 | mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY) | 876 | mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY) |
diff --git a/init/Kconfig b/init/Kconfig index 14b3d8422502..1b1148e9181b 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
| @@ -1948,6 +1948,20 @@ config MODULE_SIG_HASH | |||
| 1948 | default "sha384" if MODULE_SIG_SHA384 | 1948 | default "sha384" if MODULE_SIG_SHA384 |
| 1949 | default "sha512" if MODULE_SIG_SHA512 | 1949 | default "sha512" if MODULE_SIG_SHA512 |
| 1950 | 1950 | ||
| 1951 | config MODULE_SIG_KEY | ||
| 1952 | string "File name or PKCS#11 URI of module signing key" | ||
| 1953 | default "signing_key.priv" | ||
| 1954 | depends on MODULE_SIG | ||
| 1955 | help | ||
| 1956 | Provide the file name of a private key in PKCS#8 PEM format, or | ||
| 1957 | a PKCS#11 URI according to RFC7512. The corresponding X.509 | ||
| 1958 | certificate in DER form should be present in signing_key.x509 | ||
| 1959 | in the top-level build directory. | ||
| 1960 | |||
| 1961 | If this option is unchanged from its default "signing_key.priv", | ||
| 1962 | then the kernel will automatically generate the private key and | ||
| 1963 | certificate as described in Documentation/module-signing.txt | ||
| 1964 | |||
| 1951 | config MODULE_COMPRESS | 1965 | config MODULE_COMPRESS |
| 1952 | bool "Compress modules on installation" | 1966 | bool "Compress modules on installation" |
| 1953 | depends on MODULES | 1967 | depends on MODULES |
diff --git a/kernel/Makefile b/kernel/Makefile index 43c4c920f30a..2c937ace292e 100644 --- a/kernel/Makefile +++ b/kernel/Makefile | |||
| @@ -170,6 +170,10 @@ ifndef CONFIG_MODULE_SIG_HASH | |||
| 170 | $(error Could not determine digest type to use from kernel config) | 170 | $(error Could not determine digest type to use from kernel config) |
| 171 | endif | 171 | endif |
| 172 | 172 | ||
| 173 | # We do it this way rather than having a boolean option for enabling an | ||
| 174 | # external private key, because 'make randconfig' might enable such a | ||
| 175 | # boolean option and we unfortunately can't make it depend on !RANDCONFIG. | ||
| 176 | ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv") | ||
| 173 | signing_key.priv signing_key.x509: x509.genkey | 177 | signing_key.priv signing_key.x509: x509.genkey |
| 174 | @echo "###" | 178 | @echo "###" |
| 175 | @echo "### Now generating an X.509 key pair to be used for signing modules." | 179 | @echo "### Now generating an X.509 key pair to be used for signing modules." |
| @@ -207,3 +211,4 @@ x509.genkey: | |||
| 207 | @echo >>x509.genkey "subjectKeyIdentifier=hash" | 211 | @echo >>x509.genkey "subjectKeyIdentifier=hash" |
| 208 | @echo >>x509.genkey "authorityKeyIdentifier=keyid" | 212 | @echo >>x509.genkey "authorityKeyIdentifier=keyid" |
| 209 | endif | 213 | endif |
| 214 | endif | ||