Merge tag 'modsign-pkcs7-20150814' of...

 (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)

 (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)

     Setting this option to something other than its default of

     Setting this option to something other than its default of

     "signing_key.pem" will disable the autogeneration of signing keys and

     "certs/signing_key.pem" will disable the autogeneration of signing keys

     allow the kernel modules to be signed with a key of your choosing.

     and allow the kernel modules to be signed with a key of your choosing.

     The string provided should identify a file containing both a private

     The string provided should identify a file containing both a private key

     key and its corresponding X.509 certificate in PEM form, or — on

     and its corresponding X.509 certificate in PEM form, or — on systems where

     systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI

     the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by

     as defined by RFC7512. In the latter case, the PKCS#11 URI should

     RFC7512. In the latter case, the PKCS#11 URI should reference both a

     reference both a certificate and a private key.

     certificate and a private key.

     If the PEM file containing the private key is encrypted, or if the

     If the PEM file containing the private key is encrypted, or if the

     PKCS#11 token requries a PIN, this can be provided at build time by

     PKCS#11 token requries a PIN, this can be provided at build time by

default, the kernel build will automatically generate a new keypair using

default, the kernel build will automatically generate a new keypair using

openssl if one does not exist in the file:

openssl if one does not exist in the file:

	signing_key.pem

	certs/signing_key.pem

during the building of vmlinux (the public part of the key needs to be built

during the building of vmlinux (the public part of the key needs to be built

into vmlinux) using parameters in the:

into vmlinux) using parameters in the:

	x509.genkey

	certs/x509.genkey

file (which is also generated if it does not already exist).

file (which is also generated if it does not already exist).

F:	Documentation/filesystems/ceph.txt

F:	Documentation/filesystems/ceph.txt

F:	fs/ceph/

F:	fs/ceph/

CERTIFICATE HANDLING:

M:	David Howells <dhowells@redhat.com>

M:	David Woodhouse <dwmw2@infradead.org>

L:	keyrings@linux-nfs.org

S:	Maintained

F:	Documentation/module-signing.txt

F:	certs/

F:	scripts/extract-cert.c

CERTIFIED WIRELESS USB (WUSB) SUBSYSTEM:

CERTIFIED WIRELESS USB (WUSB) SUBSYSTEM:

L:	linux-usb@vger.kernel.org

L:	linux-usb@vger.kernel.org

S:	Orphan

S:	Orphan

# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)

# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)

ifdef CONFIG_MODULE_SIG_ALL

ifdef CONFIG_MODULE_SIG_ALL

MODSECKEY = $(CONFIG_MODULE_SIG_KEY)

$(eval $(call config_filename,MODULE_SIG_KEY))

MODPUBKEY = ./signing_key.x509

export MODPUBKEY

mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY) certs/signing_key.x509

mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)

else

else

mod_sign_cmd = true

mod_sign_cmd = true

endif

endif

ifeq ($(KBUILD_EXTMOD),)

ifeq ($(KBUILD_EXTMOD),)

core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/

core-y		+= kernel/ certs/ mm/ fs/ ipc/ security/ crypto/ block/

vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \

vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \

		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \

		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \

menu "Certificates for signature checking"

config MODULE_SIG_KEY

	string "File name or PKCS#11 URI of module signing key"

	default "certs/signing_key.pem"

	depends on MODULE_SIG

	help

         Provide the file name of a private key/certificate in PEM format,

         or a PKCS#11 URI according to RFC7512. The file should contain, or

         the URI should identify, both the certificate and its corresponding

         private key.

         If this option is unchanged from its default "certs/signing_key.pem",

         then the kernel will automatically generate the private key and

         certificate as described in Documentation/module-signing.txt

config SYSTEM_TRUSTED_KEYRING

	bool "Provide system-wide ring of trusted keys"

	depends on KEYS

	help

	  Provide a system keyring to which trusted keys can be added.  Keys in

	  the keyring are considered to be trusted.  Keys may be added at will

	  by the kernel from compiled-in data and from hardware key stores, but

	  userspace may only add extra keys if those keys can be verified by

	  keys already in the keyring.

	  Keys in this keyring are used by module signature checking.

config SYSTEM_TRUSTED_KEYS

	string "Additional X.509 keys for default system keyring"

	depends on SYSTEM_TRUSTED_KEYRING

	help

	  If set, this option should be the filename of a PEM-formatted file

	  containing trusted X.509 certificates to be included in the default

	  system keyring. Any certificate used for module signing is implicitly

	  also trusted.

	  NOTE: If you previously provided keys for the system keyring in the

	  form of DER-encoded *.x509 files in the top-level build directory,

	  those are no longer used. You will need to set this option instead.

endmenu

#

# Makefile for the linux kernel signature checking certificates.

#

obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o

ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)

$(eval $(call config_filename,SYSTEM_TRUSTED_KEYS))

# GCC doesn't include .incbin files in -MD generated dependencies (PR#66871)

$(obj)/system_certificates.o: $(obj)/x509_certificate_list

# Cope with signing_key.x509 existing in $(srctree) not $(objtree)

AFLAGS_system_certificates.o := -I$(srctree)

quiet_cmd_extract_certs  = EXTRACT_CERTS   $(patsubst "%",%,$(2))

      cmd_extract_certs  = scripts/extract-cert $(2) $@ || ( rm $@; exit 1)

targets += x509_certificate_list

$(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) FORCE

	$(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))

endif

clean-files := x509_certificate_list .x509.list

ifeq ($(CONFIG_MODULE_SIG),y)

###############################################################################

#

# If module signing is requested, say by allyesconfig, but a key has not been

# supplied, then one will need to be generated to make sure the build does not

# fail and that the kernel may be used afterwards.

#

###############################################################################

ifndef CONFIG_MODULE_SIG_HASH

$(error Could not determine digest type to use from kernel config)

endif

# We do it this way rather than having a boolean option for enabling an

# external private key, because 'make randconfig' might enable such a

# boolean option and we unfortunately can't make it depend on !RANDCONFIG.

ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")

$(obj)/signing_key.pem: $(obj)/x509.genkey

	@echo "###"

	@echo "### Now generating an X.509 key pair to be used for signing modules."

	@echo "###"

	@echo "### If this takes a long time, you might wish to run rngd in the"

	@echo "### background to keep the supply of entropy topped up.  It"

	@echo "### needs to be run as root, and uses a hardware random"

	@echo "### number generator if one is available."

	@echo "###"

	openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \

		-batch -x509 -config $(obj)/x509.genkey \

		-outform PEM -out $(obj)/signing_key.pem \

		-keyout $(obj)/signing_key.pem 2>&1

	@echo "###"

	@echo "### Key pair generated."

	@echo "###"

$(obj)/x509.genkey:

	@echo Generating X.509 key generation config

	@echo  >$@ "[ req ]"

	@echo >>$@ "default_bits = 4096"

	@echo >>$@ "distinguished_name = req_distinguished_name"

	@echo >>$@ "prompt = no"

	@echo >>$@ "string_mask = utf8only"

	@echo >>$@ "x509_extensions = myexts"

	@echo >>$@

	@echo >>$@ "[ req_distinguished_name ]"

	@echo >>$@ "#O = Unspecified company"

	@echo >>$@ "CN = Build time autogenerated kernel key"

	@echo >>$@ "#emailAddress = unspecified.user@unspecified.company"

	@echo >>$@

	@echo >>$@ "[ myexts ]"

	@echo >>$@ "basicConstraints=critical,CA:FALSE"

	@echo >>$@ "keyUsage=digitalSignature"

	@echo >>$@ "subjectKeyIdentifier=hash"

	@echo >>$@ "authorityKeyIdentifier=keyid"

endif

$(eval $(call config_filename,MODULE_SIG_KEY))

# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it

ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME)))

X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)

endif

# GCC PR#66871 again.

$(obj)/system_certificates.o: $(obj)/signing_key.x509

targets += signing_key.x509

$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE

	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))

endif