Pull signature checking selftest from David Howells:
"The signature checking code, as used by module signing, kexec, etc.,
is non-FIPS compliant as there is no selftest.
For a kernel to be FIPS-compliant, signature checking would have to be
tested before being used, and the box would need to panic if it's not
available (probably reasonable as simply disabling signature checking
would prevent you from loading any driver modules).
Deal with this by adding a minimal test.
This is split into two patches: the first moves load_certificate_list()
to the same place as the X.509 code to make it more accessible
internally; the second adds a selftest"
* tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
certs: Add FIPS selftests
certs: Move load_certificate_list() to be with the asymmetric keys code
Commit addf466389 ("certs: Check that builtin blacklist hashes are
valid") was applied 8 months after the submission.
In the meantime, the base code had been removed by commit b8c96a6b46
("certs: simplify $(srctree)/ handling and remove config_filename
macro").
Fix the Makefile.
Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is
included from certs/blacklist_hashes.c and also works as a timestamp.
Send error messages from check-blacklist-hashes.awk to stderr instead
of stdout.
Fixes: addf466389 ("certs: Check that builtin blacklist hashes are valid")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Pull Kbuild updates from Masahiro Yamada:
- Add HOSTPKG_CONFIG env variable to allow users to override pkg-config
- Support W=e as a shorthand for KCFLAGS=-Werror
- Fix CONFIG_IKHEADERS build to support toybox cpio
- Add scripts/dummy-tools/pahole to ease distro packagers' life
- Suppress false-positive warnings from checksyscalls.sh for W=2 build
- Factor out the common code of arch/*/boot/install.sh into
scripts/install.sh
- Support 'kernel-install' tool in scripts/prune-kernel
- Refactor module-versioning to link the symbol versions at the final
link of vmlinux and modules
- Remove CONFIG_MODULE_REL_CRCS because module-versioning now works in
an arch-agnostic way
- Refactor modpost, Makefiles
* tag 'kbuild-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: (56 commits)
genksyms: adjust the output format to modpost
kbuild: stop merging *.symversions
kbuild: link symbol CRCs at final link, removing CONFIG_MODULE_REL_CRCS
modpost: extract symbol versions from *.cmd files
modpost: add sym_find_with_module() helper
modpost: change the license of EXPORT_SYMBOL to bool type
modpost: remove left-over cross_compile declaration
kbuild: record symbol versions in *.cmd files
kbuild: generate a list of objects in vmlinux
modpost: move *.mod.c generation to write_mod_c_files()
modpost: merge add_{intree_flag,retpoline,staging_flag} to add_header
scripts/prune-kernel: Use kernel-install if available
kbuild: factor out the common installation code into scripts/install.sh
modpost: split new_symbol() to symbol allocation and hash table addition
modpost: make sym_add_exported() always allocate a new symbol
modpost: make multiple export error
modpost: dump Module.symvers in the same order of modules.order
modpost: traverse the namespace_list in order
modpost: use doubly linked list for dump_lists
modpost: traverse unresolved symbols in order
...
Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will
effectively be taken into account as blacklisted hashes. This is useful
to debug invalid hash formats, and it make sure that previous hashes
which could have been loaded in the kernel, but silently ignored, are
now noticed and deal with by the user at kernel build time.
This also prevent stricter blacklist key description checking (provided
by following commits) to failed for builtin hashes.
Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of
a hash string and how to generate certificate ones.
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Add HOSTPKG_CONFIG to allow tooling that builds the kernel to override
what pkg-config and parameters are used.
Signed-off-by: Chun-Tse Shao <ctshao@google.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
To create an empty cert file, we need to pass "" to the extract-cert
tool, which is common for all the three call-sites of cmd_extract_certs.
Factor out the logic into extract-cert-in.
One exceptional case is PKCS#11 case, where we override extract-cert-in
with the URI.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>
I do not see much sense in the #if conditional in system_certificates.S;
even if the condition is true, there exists no signing key when
CONFIG_MODULE_SIG_KEY="".
So, certs/Makefile generates empty certs/signing_key.x509 in such a
case. We can always do this, irrespective of CONFIG_MODULE_SIG or
(CONFIG_IMA_APPRAISE_MODSIG && CONFIG_MODULES).
We only need to check CONFIG_MODULE_SIG_KEY, then both *.S and Makefile
will become much simpler.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
When CONFIG_MODULE_SIG_KEY is PKCS#11 URL (pkcs11:*), signing_key.x509
fails to build:
certs/Makefile:77: *** target pattern contains no '%'. Stop.
Due to the typo, $(X509_DEP) contains a colon.
Fix it.
Fixes: b8c96a6b46 ("certs: simplify $(srctree)/ handling and remove config_filename macro")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
The previous commit fixed up all shell scripts to not include
include/config/auto.conf.
Now that include/config/auto.conf is only included by Makefiles,
we can change it into a more Make-friendly form.
Previously, Kconfig output string values enclosed with double-quotes
(both in the .config and include/config/auto.conf):
CONFIG_X="foo bar"
Unlike shell, Make handles double-quotes (and single-quotes as well)
verbatim. We must rip them off when used.
There are some patterns:
[1] $(patsubst "%",%,$(CONFIG_X))
[2] $(CONFIG_X:"%"=%)
[3] $(subst ",,$(CONFIG_X))
[4] $(shell echo $(CONFIG_X))
These are not only ugly, but also fragile.
[1] and [2] do not work if the value contains spaces, like
CONFIG_X=" foo bar "
[3] does not work correctly if the value contains double-quotes like
CONFIG_X="foo\"bar"
[4] seems to work better, but has a cost of forking a process.
Anyway, quoted strings were always PITA for our Makefiles.
This commit changes Kconfig to stop quoting in include/config/auto.conf.
These are the string type symbols referenced in Makefiles or scripts:
ACPI_CUSTOM_DSDT_FILE
ARC_BUILTIN_DTB_NAME
ARC_TUNE_MCPU
BUILTIN_DTB_SOURCE
CC_IMPLICIT_FALLTHROUGH
CC_VERSION_TEXT
CFG80211_EXTRA_REGDB_KEYDIR
EXTRA_FIRMWARE
EXTRA_FIRMWARE_DIR
EXTRA_TARGETS
H8300_BUILTIN_DTB
INITRAMFS_SOURCE
LOCALVERSION
MODULE_SIG_HASH
MODULE_SIG_KEY
NDS32_BUILTIN_DTB
NIOS2_DTB_SOURCE
OPENRISC_BUILTIN_DTB
SOC_CANAAN_K210_DTB_SOURCE
SYSTEM_BLACKLIST_HASH_LIST
SYSTEM_REVOCATION_KEYS
SYSTEM_TRUSTED_KEYS
TARGET_CPU
UNUSED_KSYMS_WHITELIST
XILINX_MICROBLAZE0_FAMILY
XILINX_MICROBLAZE0_HW_VER
XTENSA_VARIANT_NAME
I checked them one by one, and fixed up the code where necessary.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
The complex macro, config_filename, was introduced to do:
[1] drop double-quotes from the string value
[2] add $(srctree)/ prefix in case the file is not found in $(objtree)
[3] escape spaces and more
[1] will be more generally handled by Kconfig later.
As for [2], Kbuild uses VPATH to search for files in $(objtree),
$(srctree) in this order. GNU Make can natively handle it.
As for [3], converting $(space) to $(space_escape) back and forth looks
questionable to me. It is well-known that GNU Make cannot handle file
paths with spaces in the first place.
Instead of using the complex macro, use $< so it will be expanded to
the file path of the key.
Remove config_filename, finally.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
This dependency is necessary irrespective of the mentioned GCC PR
because the embedded certificates are build artifacts and must be
generated by extract_certs before *.S files are compiled.
The comment sounds like we are hoping to remove these dependencies
someday. No, we cannot remove them.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
'make clean' removes files listed in 'targets'. It is redundant to
specify both 'targets' and 'clean-files'.
Move 'targets' assignments out of the ifeq-conditionals so
scripts/Makefile.clean can see them.
One effective change is that certs/certs/signing_key.x509 is now
deleted by 'make clean' instead of 'make mrproper. This certificate
is embedded in the kernel. It is not used in any way by external
module builds.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>
The .incbin directive in certs/system_certificates.S includes
certs/signing_key.x509 and certs/x509_certificate_list, both of which
are generated by extract_certs, i.e. exist in $(objtree).
This option -I$(srctree) is unneeded.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
cmd_extract_certs is defined twice. Unify them.
The current log shows the input file $(2), which might be empty.
You cannot know what is being created from the log, "EXTRACT_CERTS".
Change the log to show the output file with better alignment.
[Before]
EXTRACT_CERTS certs/signing_key.pem
CC certs/system_keyring.o
EXTRACT_CERTS
AS certs/system_certificates.o
CC certs/common.o
CC certs/blacklist.o
EXTRACT_CERTS
AS certs/revocation_certificates.o
[After]
CERT certs/signing_key.x509
CC certs/system_keyring.o
CERT certs/x509_certificate_list
AS certs/system_certificates.o
CC certs/common.o
CC certs/blacklist.o
CERT certs/x509_revocation_list
AS certs/revocation_certificates.o
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>
Do not repeat $(obj)/x509.genkey or $(obj)/signing_key.pem
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>
If the key type of the existing signing key does not match to
CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that it is
re-generated.
Use if_changed so that the key is re-generated when the key type is
changed (that is, the openssl command line is changed).
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Commit 5d06ee20b6 ("modsign: hide openssl output in silent builds")
silenced the key generation log from openssl in silent builds.
Since commit 174a1dcc96 ("kbuild: sink stdout from cmd for silent
build"), the 'cmd' macro can handle it in a cleaner way.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
When you run Kbuild with the parallel option -j, the messages from this
rule and others are interleaved, like follows:
###
CC arch/x86/mm/pat/set_memory.o
### Now generating an X.509 key pair to be used for signing modules.
###
### If this takes a long time, you might wish to run rngd in the
### background to keep the supply of entropy topped up. It
CC arch/x86/events/intel/bts.o
HDRTEST usr/include/linux/qnx4_fs.h
CC arch/x86/events/zhaoxin/core.o
### needs to be run as root, and uses a hardware random
### number generator if one is available.
AR init/built-in.a
###
On modern machines, it does not take a long time to generate the key.
Remove the ugly log messages.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
When x509.genkey is created, it prints a log:
Generating X.509 key generation config
..., which is not the ordinary Kbuild log style.
Check-in the default config as certs/default_x509.genkey to make it
readable, and copy it to certs/x509.genkey if it is not present.
The log is shown in the Kbuild style.
COPY certs/x509.genkey
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
CONFIG_MODULE_SIG_HASH is defined by init/Kconfig. This $(error ...) is
never reachable. (If it is, you need to fix the bug.)
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Add support for using elliptic curve keys for signing modules. It uses
a NIST P384 (secp384r1) key if the user chooses an elliptic curve key
and will have ECDSA support built into the kernel.
Note: A developer choosing an ECDSA key for signing modules should still
delete the signing key (rm certs/signing_key.*) when building an older
version of a kernel that only supports RSA keys. Unless kbuild automati-
cally detects and generates a new kernel module key, ECDSA-signed kernel
modules will fail signature verification.
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
