From patchwork Thu Apr 29 07:28:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 429330 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 272E5C43470 for ; Thu, 29 Apr 2021 07:29:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E96746143E for ; Thu, 29 Apr 2021 07:29:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239630AbhD2Hae (ORCPT ); Thu, 29 Apr 2021 03:30:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60256 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237215AbhD2Hac (ORCPT ); Thu, 29 Apr 2021 03:30:32 -0400 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A899C06138C; Thu, 29 Apr 2021 00:29:11 -0700 (PDT) Received: by mail-pj1-x1035.google.com with SMTP id k3-20020a17090ad083b0290155b934a295so4051169pju.2; Thu, 29 Apr 2021 00:29:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yT6CAnQjd1D49HHgiYY1r24DT674aBCTUWawwoMceAU=; b=lVVmp50YHTqP3jnmZi5GfxODR+y/fN+on8hWFumzvIiCjC6+xMuFVclf9/eZmlhMAY 2YZFBXMizmSsREcsL5OcQRZCSsBbC3MNfskVkGWNlm73s+PMjzFdae0MlR9HfgoBbk3P OLFyDfF1n/HT6qYJBIy9dhN6V0kPfQukmoDqfBO19F8NOp/lbCkUt77X6OJNKszz62Jm xspueFJyBo5QdthxWLrirC+gr23bWIseQRbS/sM1IMcL3Upsr9SL+Ofh1j1ibTvFt6OX /7+MHyHxjgKxdMVuyVoW6bZ7QNZrlkUmBa6nlSr68fc1eTBbL6M9tT8FF3u9IVoRHwsb I3Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yT6CAnQjd1D49HHgiYY1r24DT674aBCTUWawwoMceAU=; b=SxAfbcAgfML75a9j2HH1TmGhfYnV1oxB2+4QYKxeZJJbm7WD0pCOVVcaLstSe6bQxS unKWOEOFvEDbUfgmy+I9EfsSVXrBNal9R7opPflN0YSwbUghPRtJKd/kTjQPi9rNYsLp +4nxYz1g9HHhZAfBb4nl8TzjRFeLlx+A+6aeZk/RJvYQYFTA8zP/4Niuvd60lX9L8Ww3 R5sKyJa1kBQ2t8W+V5x1KvU7AHtwsdn1ITlqCKLYkT8+8i3MyhbewWp9GHv+ySHuZtlx xahJGSHe0eFgIMa6mXpOVoKnAPwecPVSsD4/RxAWwR3ZY93mhaSZItEKYrlbGvH2q8dC cKJQ== X-Gm-Message-State: AOAM5312VT/adnBCbzmvyfL/k6KOTkOG/sQdCPXH4WOFrYWfFzH1PEN4 HkaCe7YJKG5/UMMW+C6kD0Q= X-Google-Smtp-Source: ABdhPJyzIo47grRUhuizSy9cBwlOcpNxZttaaHTeoe1mWto5ut64cA15PmrmIk9E/7GKPhN2/g9S8A== X-Received: by 2002:a17:902:8486:b029:ec:8b6c:f998 with SMTP id c6-20020a1709028486b02900ec8b6cf998mr33972860plo.33.1619681351050; Thu, 29 Apr 2021 00:29:11 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id z29sm1632085pga.52.2021.04.29.00.29.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Apr 2021 00:29:10 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , Varad Gautam , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v6,1/4] X.509: Add CodeSigning extended key usage parsing Date: Thu, 29 Apr 2021 15:28:48 +0800 Message-Id: <20210429072851.24057-2-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210429072851.24057-1-jlee@suse.com> References: <20210429072851.24057-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org This patch adds the logic for parsing the CodeSign extended key usage extension in X.509. The parsing result will be set to the eku flag which is carried by public key. It can be used in the PKCS#7 verification. Signed-off-by: "Lee, Chun-Yi" --- crypto/asymmetric_keys/x509_cert_parser.c | 25 +++++++++++++++++++++++++ include/crypto/public_key.h | 1 + include/linux/oid_registry.h | 5 +++++ 3 files changed, 31 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 6d003096b5bc..996db9419474 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -542,6 +542,8 @@ int x509_process_extension(void *context, size_t hdrlen, struct x509_parse_context *ctx = context; struct asymmetric_key_id *kid; const unsigned char *v = value; + int i = 0; + enum OID oid; pr_debug("Extension: %u\n", ctx->last_oid); @@ -571,6 +573,29 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_extKeyUsage) { + if (vlen < 2 || + v[0] != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ) || + v[1] != vlen - 2) + return -EBADMSG; + i += 2; + + while (i < vlen) { + /* A 10 bytes EKU OID Octet blob = + * ASN1_OID + size byte + 8 bytes OID */ + if ((i + 10) > vlen || v[i] != ASN1_OID || v[i + 1] != 8) + return -EBADMSG; + + oid = look_up_OID(v + i + 2, v[i + 1]); + if (oid == OID_codeSigning) { + ctx->cert->pub->eku |= EKU_codeSigning; + } + i += 10; + } + pr_debug("extKeyUsage: %d\n", ctx->cert->pub->eku); + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..1ccaebe2a28b 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,7 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned int eku : 9; /* Extended Key Usage (9-bit) */ }; extern void public_key_free(struct public_key *key); diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index 461b7aa587ba..8c8935f0eb73 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -125,9 +125,14 @@ enum OID { OID_TPMImportableKey, /* 2.23.133.10.1.4 */ OID_TPMSealedData, /* 2.23.133.10.1.5 */ + /* Extended key purpose OIDs [RFC 5280] */ + OID_codeSigning, /* 1.3.6.1.5.5.7.3.3 */ + OID__NR }; +#define EKU_codeSigning (1 << 2) + extern enum OID look_up_OID(const void *data, size_t datasize); extern int parse_OID(const void *data, size_t datasize, enum OID *oid); extern int sprint_oid(const void *, size_t, char *, size_t); From patchwork Thu Apr 29 07:28:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 429961 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DC63C43461 for ; Thu, 29 Apr 2021 07:29:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 27DC56143D for ; Thu, 29 Apr 2021 07:29:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239409AbhD2Had (ORCPT ); Thu, 29 Apr 2021 03:30:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239616AbhD2Hac (ORCPT ); Thu, 29 Apr 2021 03:30:32 -0400 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32DEBC06138D; Thu, 29 Apr 2021 00:29:14 -0700 (PDT) Received: by mail-pj1-x1033.google.com with SMTP id j6-20020a17090adc86b02900cbfe6f2c96so10495337pjv.1; Thu, 29 Apr 2021 00:29:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2VAL6t0JhjYuENdb0/a6OoZ5pXUaFlWqPPwScBUiDow=; b=UdXmwskiwOU0DVaLuOM4b6FewZNzWff444sb7ueg0mJxjO/Ipzdw+hP4EiFhvU9om2 Qb+AM7wdWRbj6X0VtyrwSCUYuEJhKXxLmi/ALNYrdl3xlJWPIFry/88e96rcI+Rktn09 hXgMp57Utpq1gzSvP735oigoLVtQO4ZUG19bvrh4/KmW+emSUvDxaOGbssLbMCnKlBFG ZGkPHaSXKe2S+X/+iBXyUx+HhmWT5aW7o9YNA+RtUYoiO7kv7F3RkSK8XqeaHyHSmmmf rV5xIi1TsRVtCJLG1q01yT7pdnHtCeh86eo9DcJLRKnOEZaVVdayeC2KCxyBrXdhpi7l oapQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2VAL6t0JhjYuENdb0/a6OoZ5pXUaFlWqPPwScBUiDow=; b=dukEtA39e9ZZzCli3HfKfhmPaGOKtX//b3IIykJk2MhPIVVuwtXoL02ByudWR+h22h 6zeHtKeWbwQv6nIGncZMRNGnnSbO2EIV/MaYyXp2zgjwQ6A8OgNoWKSzNEQ62V+iquRi k3LAv7pY7CD7gJ5O4A83aidRDImM9++NqV9Gpke9BYSBhMYn4jphvtShnStasYv0rXPr YL58uNMJPfYZciZmLyP7xbBAtoZOvl0lu7AuuCwR+GT3IZxKb6D4gY1iNciWlmlBlFgp NYF5jd1GBeUJHXuMtMroAs0MkeZ9fLs8GZHLbeaFdEnfqEF3LmxyaKoGsJXISyXS1DQC mMkQ== X-Gm-Message-State: AOAM532zrEdR6sGCj5uXnXr8sflh6NTrWgQmVozt4VEAO+OVIwCxMlil VGQJ6R2ogx7cuZ/goQQEbng= X-Google-Smtp-Source: ABdhPJxoV/SG4BZSPLMQ97AcSJ4dQH3ewEH2DtmFl04AiqKFr2PnayjdrCVnyRbDp7/wo8NMzcpevg== X-Received: by 2002:a17:902:8f8d:b029:ea:e059:84a6 with SMTP id z13-20020a1709028f8db02900eae05984a6mr34788392plo.35.1619681353802; Thu, 29 Apr 2021 00:29:13 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id z29sm1632085pga.52.2021.04.29.00.29.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Apr 2021 00:29:13 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , Varad Gautam , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v6, 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Date: Thu, 29 Apr 2021 15:28:49 +0800 Message-Id: <20210429072851.24057-3-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210429072851.24057-1-jlee@suse.com> References: <20210429072851.24057-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org This patch adds the logic for checking the CodeSigning extended key usage when verifying signature of kernel module or kexec PE binary in PKCS#7. Signed-off-by: "Lee, Chun-Yi" --- certs/system_keyring.c | 2 +- crypto/asymmetric_keys/Kconfig | 9 +++++++++ crypto/asymmetric_keys/pkcs7_trust.c | 38 +++++++++++++++++++++++++++++++++--- include/crypto/pkcs7.h | 3 ++- 4 files changed, 47 insertions(+), 5 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 0c9a4795e847..302ca0555e75 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -206,7 +206,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len, goto error; } } - ret = pkcs7_validate_trust(pkcs7, trusted_keys); + ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage); if (ret < 0) { if (ret == -ENOKEY) pr_devel("PKCS#7 signature not signed with a trusted key\n"); diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 1f1f004dc757..1754812df989 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -96,4 +96,13 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. +config CHECK_CODESIGN_EKU + bool "Check codeSigning extended key usage" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION + help + This option provides support for checking the codeSigning extended + key usage when verifying the signature in PKCS#7. It affects kernel + module verification and kexec PE binary verification. + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index b531df2013c4..7c27bf81aca9 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -16,12 +16,36 @@ #include #include "pkcs7_parser.h" +#ifdef CONFIG_CHECK_CODESIGN_EKU +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + struct public_key *public_key = key->payload.data[asym_crypto]; + + switch (usage) { + case VERIFYING_MODULE_SIGNATURE: + case VERIFYING_KEXEC_PE_SIGNATURE: + return !!(public_key->eku & EKU_codeSigning); + default: + break; + } + return true; +} +#else +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + return true; +} +#endif + /* * Check the trust on one PKCS#7 SignedInfo block. */ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct public_key_signature *sig = sinfo->sig; struct x509_certificate *x509, *last = NULL, *p; @@ -112,6 +136,12 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return -ENOKEY; matched: + if (!check_codesign_eku(key, usage)) { + pr_warn("sinfo %u: The signer %x key is not CodeSigning\n", + sinfo->index, key_serial(key)); + key_put(key); + return -ENOKEY; + } ret = verify_signature(key, sig); key_put(key); if (ret < 0) { @@ -135,6 +165,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * pkcs7_validate_trust - Validate PKCS#7 trust chain * @pkcs7: The PKCS#7 certificate to validate * @trust_keyring: Signing certificates to use as starting points + * @usage: The use to which the key is being put. * * Validate that the certificate chain inside the PKCS#7 message intersects * keys we already know and trust. @@ -156,7 +187,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * May also return -ENOMEM. */ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct pkcs7_signed_info *sinfo; struct x509_certificate *p; @@ -167,7 +199,7 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, p->seen = false; for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { - ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring); + ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring, usage); switch (ret) { case -ENOKEY: continue; diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..b3b48240ba73 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -30,7 +30,8 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, * pkcs7_trust.c */ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring); + struct key *trust_keyring, + enum key_being_used_for usage); /* * pkcs7_verify.c From patchwork Thu Apr 29 07:28:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 429959 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0AC92C43617 for ; Thu, 29 Apr 2021 07:29:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C974061449 for ; Thu, 29 Apr 2021 07:29:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239385AbhD2Hag (ORCPT ); Thu, 29 Apr 2021 03:30:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237274AbhD2Hac (ORCPT ); Thu, 29 Apr 2021 03:30:32 -0400 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC582C06138E; Thu, 29 Apr 2021 00:29:16 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id md17so6751878pjb.0; Thu, 29 Apr 2021 00:29:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=0K/5T+kjg5bUp8NoaWrtPzP6S5C7jDdO1DR3so4Nqo4=; b=sqoNKt7+3vONwGRr0hXIPRFpB9B8Tq8ACtN/E6TjmLMBGWrFZXxmAy6OGA4MmeVT+Y UC1UwGxfGOAe1UcUD/zkT9ptMP5ddKRZWdJcxXPHh0jAO2dvgqt+OJ+cGwjjjcaYm7Nm UuSPQfQ0d5SSF1+HjKJ6/X7dA+YGsjKQz6vTaqiCRN7bqSE0f0i/MWaLlUXISg+q5nqc n78RI5gT1qaB32XkK0soA1GMkhl5EwFtdtP/4M7NjCwXxPPEvlxeM0CegZ2cimToCEht naLQPWeZSTwwyg3Z0wSNKy58WEq3cyM98UfytbQ1S3xInQygoLuEP50QJu+dHCenCQp8 OOpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=0K/5T+kjg5bUp8NoaWrtPzP6S5C7jDdO1DR3so4Nqo4=; b=oLpEoFKmtar2u830AxptlLDycL+T+VcqDrq2ODjtHHvbGivjV+8SNCtBDkg9HF8OAN uqsmn/6g7npV/kDjmR2XIxNLfT9i1h+Ca6o9kqsiUKdXO6lQRtID7eA4NdkmaXRue5Te 5kY0wvfCR+k+P0T9djkRXGf1Wir3WB7bq5xeP9ORnXWvKxTh2Kq6TR1VFVmu2q7N9oEb j7XX4PDtmSHd5pei/0jonsZcrWA5SyUqmD0/pHh/eEghwGiWWlPqiH802QnuFzfgQrbS gIVZ9XCx+1Jw2svtbt7RGDmL+3UrpuTMTZOUGVmZS3NJZTHHlHNJk46QYBHlpFfGvBAq 5YPw== X-Gm-Message-State: AOAM531x2V64Tz14cngIn5kq+I27BO6sKq7ZN71dp4lWlWPo+CsYQtpL 2EAnSuSPzUwEQaJn03sqqDU= X-Google-Smtp-Source: ABdhPJwNbZW2wwzNBHQ0pWicw/SZIo+wAA9ralW2B5LYjMOa1x4G8zzj+sDGhOnsS3jKrK68OudDqA== X-Received: by 2002:a17:90a:1d44:: with SMTP id u4mr8408497pju.46.1619681356326; Thu, 29 Apr 2021 00:29:16 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id z29sm1632085pga.52.2021.04.29.00.29.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Apr 2021 00:29:16 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , Varad Gautam , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v6, 3/4] modsign: Add codeSigning EKU when generating X.509 key generation config Date: Thu, 29 Apr 2021 15:28:50 +0800 Message-Id: <20210429072851.24057-4-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210429072851.24057-1-jlee@suse.com> References: <20210429072851.24057-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add codeSigning EKU to the X.509 key generation config for the build time autogenerated kernel key. Signed-off-by: "Lee, Chun-Yi" --- certs/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/Makefile b/certs/Makefile index b6db52ebf0be..d9515d68778f 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -89,6 +89,7 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ "extendedKeyUsage=codeSigning" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) From patchwork Thu Apr 29 07:28:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chun-Yi" X-Patchwork-Id: 429329 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 882A3C4360C for ; Thu, 29 Apr 2021 07:29:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 549426143D for ; Thu, 29 Apr 2021 07:29:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239667AbhD2Haf (ORCPT ); Thu, 29 Apr 2021 03:30:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60298 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239619AbhD2Hac (ORCPT ); Thu, 29 Apr 2021 03:30:32 -0400 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DB13C06138F; Thu, 29 Apr 2021 00:29:20 -0700 (PDT) Received: by mail-pg1-x534.google.com with SMTP id y32so46515348pga.11; Thu, 29 Apr 2021 00:29:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wB1I6Nqq7AfdRuGhioLL2RWvT/EvSUrtBmeOoGNpC4c=; b=SvIl2khDaQcTuHQkoVsAATEn5pLt+XBnr0bcOoaUjgxmQRXU/iplohhBCzy+xdZ1ky PKR1NhKxMRlbfPt4P513OPvI8kqMszch8h+ynisM3AlwuZIACCE0yzJwSUOUSlJUjnOU pYA3yEeWb84iTZM8wchDqJ856RoCcQZ8IlIaNL84/Y/VNAoOTIyJ/DPVXCOHsFKg72F6 Q5WVBZBS7Tr0rWWON/V4JvpqFuCKvAtW8NI2aYVRYNngiOAPt2A6utiym4xTmgJf6kHo i0yxmrQo3X6dHVC6ud8aSpqLCoyjl49apIzyVQ1GU2coTdhpTY+C9MLiTMVytNAXUj3O WmHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=wB1I6Nqq7AfdRuGhioLL2RWvT/EvSUrtBmeOoGNpC4c=; b=P8jHv8lDDSlOJPbx7fNZIx+adHeyhsYeHv4j4NnccnsjuvtuB1JD89wuBJCw+KOpnk MOuI5r+PISvZzX70YdhjD6MDgHD2PSc7pMZ1XpE3xMOP/nKrXDIiBvNf4N6bM4dci2tc BAoOP7uI+TA8iE1Tw7gOFmklBBGY6/1VH0c23ZfkkgkIGCJ8NScATPsYmRhXZTJD4lYK TZiXi+lgJqysnSbv4P4UXIo2q/dwUOlMYGIuiYGfhHeowjgwVry16MbQOW/NUOqiBQzk 42avYi/jx8J9FIeEw2kpnjNl+ohSpKbSBOwv1qNbMxX1fUknBBBqnPmdPTU02SjicF4t roqg== X-Gm-Message-State: AOAM530jivCpUwlgzyQ4KiBIUHTKgkSUnDicwHz6f01qOZCpbyoga8Gz v20pTOodMHlxaQezawrdqwU= X-Google-Smtp-Source: ABdhPJxvVTG9anmUznLA/rhG0NrTR7JrLQ1MAoG/XEBDThWnMq11qkjQx8ECp60+lW1TUYW8mN0uKA== X-Received: by 2002:a63:cd02:: with SMTP id i2mr7119281pgg.320.1619681359898; Thu, 29 Apr 2021 00:29:19 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id z29sm1632085pga.52.2021.04.29.00.29.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Apr 2021 00:29:19 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , Ben Boeckel , Randy Dunlap , Malte Gell , Varad Gautam , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v6, 4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU Date: Thu, 29 Apr 2021 15:28:51 +0800 Message-Id: <20210429072851.24057-5-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20210429072851.24057-1-jlee@suse.com> References: <20210429072851.24057-1-jlee@suse.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add an openssl command option example for generating CodeSign extended key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU is enabled. Signed-off-by: "Lee, Chun-Yi" --- Documentation/admin-guide/module-signing.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst index 7d7c7c8a545c..ca3b8f19466c 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -170,6 +170,12 @@ generate the public/private key files:: -config x509.genkey -outform PEM -out kernel_key.pem \ -keyout kernel_key.pem +When ``CONFIG_CHECK_CODESIGN_EKU`` option is enabled, the following openssl +command option should be added where for generating CodeSign extended key usage +in X.509:: + + -addext "extendedKeyUsage=codeSigning" + The full pathname for the resulting kernel_key.pem file can then be specified in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will be used instead of an autogenerated keypair.