Re: [PATCH v2 2/5] keys: generate self-signed module signing key using CSR

Stefan Berger <stefanb@xxxxxxxxxxxxx> · Fri, 19 Feb 2021 10:15:06 -0500

On 2/18/21 5:00 PM, Nayna Jain wrote:
Loading a key on the IMA trusted keyring requires the key be signed
by an existing key on the builtin or secondary trusted keyring.
Creating a Certificate Signing Request (CSR) allows the certificate
to be self-signed or signed by a CA.

Generate a self-signed module signing key using CSR.

Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx>

Tested this also as part of a patch I am going to post.

Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>


---
  Makefile       |  3 ++-
  certs/Makefile | 15 +++++++++++----
  2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 004163a4e6b3..a971d4ae40bd 100644
--- a/Makefile
+++ b/Makefile
@@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated          \
  		  .config .config.old .version \
  		  Module.symvers \
  		  certs/signing_key.pem certs/signing_key.x509 \
-		  certs/x509.genkey \
+		  certs/x509.genkey certs/signing_key.key \
+		  certs/signing_key.crt certs/signing_key.csr \
  		  vmlinux-gdb.py \
  		  *.spec
  
diff --git a/certs/Makefile b/certs/Makefile
index f4c25b67aad9..b2be7eb413d3 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
  	@$(kecho) "### needs to be run as root, and uses a hardware random"
  	@$(kecho) "### number generator if one is available."
  	@$(kecho) "###"
-	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-		-batch -x509 -config $(obj)/x509.genkey \
-		-outform PEM -out $(obj)/signing_key.pem \
-		-keyout $(obj)/signing_key.pem \
+	$(Q)openssl req -new -nodes -utf8 \
+		-batch -config $(obj)/x509.genkey \
+		-outform PEM -out $(obj)/signing_key.csr \
+		-keyout $(obj)/signing_key.key -extensions myexts \
  		$($(quiet)redirect_openssl)
+	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
+		-outform PEM -out $(obj)/signing_key.crt \
+		-signkey $(obj)/signing_key.key \
+		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
+		-extfile $(obj)/x509.genkey \
+		$($(quiet)redirect_openssl)
+	@cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem
  	@$(kecho) "###"
  	@$(kecho) "### Key pair generated."
  	@$(kecho) "###"








