Currently, the module signing script assumes that the private key is
not password-protected. This patch makes it somewhat more secure by
checking of a password file ("signing_key.pass") exists and passing it
to OpenSSL if so.
Version 2 changes: removed command line password passing from the
Makefile, the password file is now autodetected by the Perl signing
script.
Signed-off-by: Emily Maier <emilymaier@xxxxxxxxxxx>
---
Documentation/dontdiff | 1 +
Documentation/module-signing.txt | 3 +++
scripts/sign-file | 13 ++++++++++---
5 files changed, 15 insertions(+), 4 deletions(-)
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Documentation/dontdiff linux-3.13.2-devel/Documentation/dontdiff
--- linux-3.13.2/Documentation/dontdiff 2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Documentation/dontdiff 2014-02-09 15:30:41.719448065 -0500
@@ -214,6 +214,7 @@ setup
setup.bin
setup.elf
sImage
+signing_key.*
sm_tbl*
split-include
syscalltab.h
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Documentation/module-signing.txt linux-3.13.2-devel/Documentation/module-signing.txt
--- linux-3.13.2/Documentation/module-signing.txt 2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Documentation/module-signing.txt 2014-02-13 17:29:54.412512011 -0500
@@ -137,6 +137,9 @@ generate the public/private key files:
-config x509.genkey -outform DER -out signing_key.x509 \
-keyout signing_key.priv
+If you want to use a signing key with a password, write it to a file called
+"signing_key.pass". For security, make sure it is owned by root with 600
+permissions.
=========================
PUBLIC KEYS IN THE KERNEL
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/scripts/sign-file linux-3.13.2-devel/scripts/sign-file
--- linux-3.13.2/scripts/sign-file 2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/scripts/sign-file 2014-02-13 17:40:26.003859486 -0500
@@ -365,9 +365,16 @@ if ($signature_file) {
# comprises the signature with no metadata attached.
#
my $pid;
- $pid = open2(*read_from, *write_to,
- "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
- die "openssl rsautl";
+ my $passfile = "signing_key.pass";
+ if (-e $passfile) {
+ $pid = open2(*read_from, *write_to,
+ "openssl rsautl -sign -inkey $private_key -keyform PEM \\
+ -passin file:$passfile") || die "openssl rsautl";
+ } else {
+ $pid = open2(*read_from, *write_to,
+ "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+ die "openssl rsautl";
+ }
binmode write_to;
print write_to $prologue . $digest || die "pipe to openssl rsautl";
close(write_to) || die "pipe to openssl rsautl";
Attachment:
signature.asc
Description: OpenPGP digital signature
