Currently, the module signing script assumes that the private key is
not password-protected. This patch makes it slightly more secure by
allowing it to be passed in on the command line as "make
modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during
the build of course, but so is an unprotected signing key.
I'm not sure how to securely give the password to the perl signing
script. OpenSSL will prompt you for it in stdin if one isn't provided,
but that's obviously not reasonable if you're building many modules.
Signed-off-by: Emily Maier <emilymaier@xxxxxxxxxxx>
---
Documentation/dontdiff | 1 +
Makefile | 7 ++++++-
scripts/sign-file | 18 +++++++++++++-----
3 files changed, 20 insertions(+), 6 deletions(-)
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Documentation/dontdiff linux-3.13.2-devel/Documentation/dontdiff
--- linux-3.13.2/Documentation/dontdiff 2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Documentation/dontdiff 2014-02-09 15:30:41.719448065 -0500
@@ -214,6 +214,7 @@ setup
setup.bin
setup.elf
sImage
+signing_key.*
sm_tbl*
split-include
syscalltab.h
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Makefile linux-3.13.2-devel/Makefile
--- linux-3.13.2/Makefile 2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Makefile 2014-02-09 16:34:19.727020032 -0500
@@ -742,11 +742,16 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz
# choose a sane default compression above.
# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
+ifdef MOD_PASSWORD
+mod_sign_cmd = perl $(srctree)/scripts/sign-file -p $(MOD_PASSWORD)
+else
+mod_sign_cmd = perl $(srctree)/scripts/sign-file
+endif
ifdef CONFIG_MODULE_SIG_ALL
MODSECKEY = ./signing_key.priv
MODPUBKEY = ./signing_key.x509
export MODPUBKEY
-mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
+mod_sign_cmd += $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
else
mod_sign_cmd = true
endif
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/scripts/sign-file linux-3.13.2-devel/scripts/sign-file
--- linux-3.13.2/scripts/sign-file 2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/scripts/sign-file 2014-02-09 15:16:22.198684877 -0500
@@ -5,7 +5,8 @@
my $USAGE =
"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
-" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
+" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n" .
+" scripts/sign-file [-v] -p <password> <hash algo> <x509> <module> [<dest>]";
use strict;
use FileHandle;
@@ -13,9 +14,10 @@ use IPC::Open2;
use Getopt::Std;
my %opts;
-getopts('vs:', \%opts) or die $USAGE;
+getopts('vs:p:', \%opts) or die $USAGE;
my $verbose = $opts{'v'};
my $signature_file = $opts{'s'};
+my $password = $opts{'p'};
die $USAGE if ($#ARGV > 4);
die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
@@ -365,9 +367,15 @@ if ($signature_file) {
# comprises the signature with no metadata attached.
#
my $pid;
- $pid = open2(*read_from, *write_to,
- "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
- die "openssl rsautl";
+ if ($password) {
+ $pid = open2(*read_from, *write_to,
+ "openssl rsautl -sign -inkey $private_key -keyform PEM \\
+ -passin pass:$password") || die "openssl rsautl";
+ } else {
+ $pid = open2(*read_from, *write_to,
+ "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+ die "openssl rsautl";
+ }
binmode write_to;
print write_to $prologue . $digest || die "pipe to openssl rsautl";
close(write_to) || die "pipe to openssl rsautl";
Attachment:
signature.asc
Description: OpenPGP digital signature
