Currently, the module signing script assumes that the private key is not password-protected. This patch makes it slightly more secure by allowing it to be passed in on the command line as "make modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during the build of course, but so is an unprotected signing key. I'm not sure how to securely give the password to the perl signing script. OpenSSL will prompt you for it in stdin if one isn't provided, but that's obviously not reasonable if you're building many modules. Signed-off-by: Emily Maier <emilymaier@xxxxxxxxxxx> --- Documentation/dontdiff | 1 + Makefile | 7 ++++++- scripts/sign-file | 18 +++++++++++++----- 3 files changed, 20 insertions(+), 6 deletions(-) diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Documentation/dontdiff linux-3.13.2-devel/Documentation/dontdiff --- linux-3.13.2/Documentation/dontdiff 2014-02-06 14:42:22.000000000 -0500 +++ linux-3.13.2-devel/Documentation/dontdiff 2014-02-09 15:30:41.719448065 -0500 @@ -214,6 +214,7 @@ setup setup.bin setup.elf sImage +signing_key.* sm_tbl* split-include syscalltab.h diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Makefile linux-3.13.2-devel/Makefile --- linux-3.13.2/Makefile 2014-02-06 14:42:22.000000000 -0500 +++ linux-3.13.2-devel/Makefile 2014-02-09 16:34:19.727020032 -0500 @@ -742,11 +742,16 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz # choose a sane default compression above. # export INITRD_COMPRESS := $(INITRD_COMPRESS-y) +ifdef MOD_PASSWORD +mod_sign_cmd = perl $(srctree)/scripts/sign-file -p $(MOD_PASSWORD) +else +mod_sign_cmd = perl $(srctree)/scripts/sign-file +endif ifdef CONFIG_MODULE_SIG_ALL MODSECKEY = ./signing_key.priv MODPUBKEY = ./signing_key.x509 export MODPUBKEY -mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY) +mod_sign_cmd += $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY) else mod_sign_cmd = true endif diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/scripts/sign-file linux-3.13.2-devel/scripts/sign-file --- linux-3.13.2/scripts/sign-file 2014-02-06 14:42:22.000000000 -0500 +++ linux-3.13.2-devel/scripts/sign-file 2014-02-09 15:16:22.198684877 -0500 @@ -5,7 +5,8 @@ my $USAGE = "Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" . -" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n"; +" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n" . +" scripts/sign-file [-v] -p <password> <hash algo> <x509> <module> [<dest>]"; use strict; use FileHandle; @@ -13,9 +14,10 @@ use IPC::Open2; use Getopt::Std; my %opts; -getopts('vs:', \%opts) or die $USAGE; +getopts('vs:p:', \%opts) or die $USAGE; my $verbose = $opts{'v'}; my $signature_file = $opts{'s'}; +my $password = $opts{'p'}; die $USAGE if ($#ARGV > 4); die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2); @@ -365,9 +367,15 @@ if ($signature_file) { # comprises the signature with no metadata attached. # my $pid; - $pid = open2(*read_from, *write_to, - "openssl rsautl -sign -inkey $private_key -keyform PEM") || - die "openssl rsautl"; + if ($password) { + $pid = open2(*read_from, *write_to, + "openssl rsautl -sign -inkey $private_key -keyform PEM \\ + -passin pass:$password") || die "openssl rsautl"; + } else { + $pid = open2(*read_from, *write_to, + "openssl rsautl -sign -inkey $private_key -keyform PEM") || + die "openssl rsautl"; + } binmode write_to; print write_to $prologue . $digest || die "pipe to openssl rsautl"; close(write_to) || die "pipe to openssl rsautl";
Attachment:
signature.asc
Description: OpenPGP digital signature