git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	David Howells <dhowells@redhat.com>
	Mon, 20 Jul 2015 20:16:27 +0000 (21:16 +0100)
committer	David Howells <dhowells@redhat.com>
	Fri, 7 Aug 2015 15:26:13 +0000 (16:26 +0100)
commit	bc1c373dd2a5113800360f7152be729c9da996cc
tree	76250e463a070570a2dbd226c5fa8ee3d70de363	tree \| snapshot
parent	4ebdb76f7da662346267384440492bb9d87c2aa3	commit \| diff

MODSIGN: Provide a utility to append a PKCS#7 signature to a module

Provide a utility that:

(1) Digests a module using the specified hash algorithm (typically sha256).

     [The digest can be dumped into a file by passing the '-d' flag]

(2) Generates a PKCS#7 message that:

     (a) Has detached data (ie. the module content).

     (b) Is signed with the specified private key.

     (c) Refers to the specified X.509 certificate.

     (d) Has an empty X.509 certificate list.

     [The PKCS#7 message can be dumped into a file by passing the '-p' flag]

(3) Generates a signed module by concatenating the old module, the PKCS#7
     message, a descriptor and a magic string.  The descriptor contains the
     size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7.

(4) Either writes the signed module to the specified destination or renames
     it over the source module.

This allows module signing to reuse the PKCS#7 handling code that was added
for PE file parsing for signed kexec.

Note that the utility is written in C and must be linked against the OpenSSL
crypto library.

Note further that I have temporarily dropped support for handling externally
created signatures until we can work out the best way to do those.  Hopefully,
whoever creates the signature can give me a PKCS#7 certificate.

Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>

include/crypto/public_key.h		diff \| blob \| history
scripts/sign-file.c	[new file with mode: 0755]	blob