be7ac52
From a6a74ede612b526dd0f958c2eee5adfa9b038b95 Mon Sep 17 00:00:00 2001
be7ac52
From: Josh Boyer <jwboyer@redhat.com>
be7ac52
Date: Mon, 15 Oct 2012 10:14:09 -0400
be7ac52
Subject: [PATCH 1/2] Revert "MODSIGN: Sign modules during the build process"
Josh Boyer f0f4ff2
be7ac52
This reverts commit 80d65e58e93ffdabf58202653a0435bd3cf2d82e.
Josh Boyer f0f4ff2
---
be7ac52
 scripts/Makefile.modpost |  77 +------------------------------
be7ac52
 scripts/sign-file        | 115 -----------------------------------------------
be7ac52
 2 files changed, 1 insertion(+), 191 deletions(-)
be7ac52
 delete mode 100644 scripts/sign-file
be7ac52
be7ac52
diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost
be7ac52
index 0020891..a1cb022 100644
be7ac52
--- a/scripts/Makefile.modpost
be7ac52
+++ b/scripts/Makefile.modpost
be7ac52
@@ -14,8 +14,7 @@
be7ac52
 # 3)  create one <module>.mod.c file pr. module
be7ac52
 # 4)  create one Module.symvers file with CRC for all exported symbols
be7ac52
 # 5) compile all <module>.mod.c files
be7ac52
-# 6) final link of the module to a <module.ko> (or <module.unsigned>) file
be7ac52
-# 7) signs the modules to a <module.ko> file
be7ac52
+# 6) final link of the module to a <module.ko> file
be7ac52
 
be7ac52
 # Step 3 is used to place certain information in the module's ELF
be7ac52
 # section, including information such as:
be7ac52
@@ -33,8 +32,6 @@
be7ac52
 # Step 4 is solely used to allow module versioning in external modules,
be7ac52
 # where the CRC of each module is retrieved from the Module.symvers file.
be7ac52
 
be7ac52
-# Step 7 is dependent on CONFIG_MODULE_SIG being enabled.
be7ac52
-
be7ac52
 # KBUILD_MODPOST_WARN can be set to avoid error out in case of undefined
be7ac52
 # symbols in the final module linking stage
be7ac52
 # KBUILD_MODPOST_NOFINAL can be set to skip the final link of modules.
be7ac52
@@ -119,7 +116,6 @@ $(modules:.ko=.mod.o): %.mod.o: %.mod.c FORCE
be7ac52
 targets += $(modules:.ko=.mod.o)
be7ac52
 
be7ac52
 # Step 6), final link of the modules
be7ac52
-ifneq ($(CONFIG_MODULE_SIG),y)
be7ac52
 quiet_cmd_ld_ko_o = LD [M]  $@
be7ac52
       cmd_ld_ko_o = $(LD) -r $(LDFLAGS)                                 \
be7ac52
                              $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \
be7ac52
@@ -129,78 +125,7 @@ $(modules): %.ko :%.o %.mod.o FORCE
be7ac52
 	$(call if_changed,ld_ko_o)
be7ac52
 
be7ac52
 targets += $(modules)
be7ac52
-else
be7ac52
-quiet_cmd_ld_ko_unsigned_o = LD [M]  $@
be7ac52
-      cmd_ld_ko_unsigned_o =						\
be7ac52
-		$(LD) -r $(LDFLAGS)					\
be7ac52
-			 $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE)	\
be7ac52
-			 -o $@ $(filter-out FORCE,$^)			\
be7ac52
-		$(if $(AFTER_LINK),; $(AFTER_LINK))
be7ac52
-
be7ac52
-$(modules:.ko=.ko.unsigned): %.ko.unsigned :%.o %.mod.o FORCE
be7ac52
-	$(call if_changed,ld_ko_unsigned_o)
be7ac52
-
be7ac52
-targets += $(modules:.ko=.ko.unsigned)
be7ac52
-
be7ac52
-# Step 7), sign the modules
be7ac52
-MODSECKEY = ./signing_key.priv
be7ac52
-MODPUBKEY = ./signing_key.x509
be7ac52
-
be7ac52
-ifeq ($(wildcard $(MODSECKEY))+$(wildcard $(MODPUBKEY)),$(MODSECKEY)+$(MODPUBKEY))
be7ac52
-ifeq ($(KBUILD_SRC),)
be7ac52
-	# no O= is being used
be7ac52
-	SCRIPTS_DIR := scripts
be7ac52
-else
be7ac52
-	SCRIPTS_DIR := $(KBUILD_SRC)/scripts
be7ac52
-endif
be7ac52
-SIGN_MODULES := 1
be7ac52
-else
be7ac52
-SIGN_MODULES := 0
be7ac52
-endif
be7ac52
-
be7ac52
-# only sign if it's an in-tree module
be7ac52
-ifneq ($(KBUILD_EXTMOD),)
be7ac52
-SIGN_MODULES := 0
be7ac52
-endif
be7ac52
 
be7ac52
-# We strip the module as best we can - note that using both strip and eu-strip
be7ac52
-# results in a smaller module than using either alone.
be7ac52
-EU_STRIP = $(shell which eu-strip || echo true)
be7ac52
-
be7ac52
-quiet_cmd_sign_ko_stripped_ko_unsigned = STRIP [M] $@
be7ac52
-      cmd_sign_ko_stripped_ko_unsigned = \
be7ac52
-		cp $< $@ && \
be7ac52
-		strip -x -g $@ && \
be7ac52
-		$(EU_STRIP) $@
be7ac52
-
be7ac52
-ifeq ($(SIGN_MODULES),1)
be7ac52
-
be7ac52
-quiet_cmd_genkeyid = GENKEYID $@
be7ac52
-      cmd_genkeyid = \
be7ac52
-		perl $(SCRIPTS_DIR)/x509keyid $< $<.signer $<.keyid
be7ac52
-
be7ac52
-%.signer %.keyid: %
be7ac52
-	$(call if_changed,genkeyid)
be7ac52
-
be7ac52
-KEYRING_DEP := $(MODSECKEY) $(MODPUBKEY) $(MODPUBKEY).signer $(MODPUBKEY).keyid
be7ac52
-quiet_cmd_sign_ko_ko_stripped = SIGN [M] $@
be7ac52
-      cmd_sign_ko_ko_stripped = \
be7ac52
-		sh $(SCRIPTS_DIR)/sign-file $(MODSECKEY) $(MODPUBKEY) $< $@
be7ac52
-else
be7ac52
-KEYRING_DEP :=
be7ac52
-quiet_cmd_sign_ko_ko_unsigned = NO SIGN [M] $@
be7ac52
-      cmd_sign_ko_ko_unsigned = \
be7ac52
-		cp $< $@
be7ac52
-endif
be7ac52
-
be7ac52
-$(modules): %.ko :%.ko.stripped $(KEYRING_DEP) FORCE
be7ac52
-	$(call if_changed,sign_ko_ko_stripped)
be7ac52
-
be7ac52
-$(patsubst %.ko,%.ko.stripped,$(modules)): %.ko.stripped :%.ko.unsigned FORCE
be7ac52
-	$(call if_changed,sign_ko_stripped_ko_unsigned)
be7ac52
-
be7ac52
-targets += $(modules)
be7ac52
-endif
Josh Boyer f0f4ff2
 
be7ac52
 # Add FORCE to the prequisites of a target to force it to be always rebuilt.
be7ac52
 # ---------------------------------------------------------------------------
be7ac52
diff --git a/scripts/sign-file b/scripts/sign-file
be7ac52
deleted file mode 100644
be7ac52
index e58e34e..0000000
be7ac52
--- a/scripts/sign-file
be7ac52
+++ /dev/null
be7ac52
@@ -1,115 +0,0 @@
be7ac52
-#!/bin/sh
be7ac52
-#
be7ac52
-# Sign a module file using the given key.
be7ac52
-#
be7ac52
-# Format: sign-file <key> <x509> <src-file> <dst-file>
be7ac52
-#
be7ac52
-
be7ac52
-scripts=`dirname $0`
be7ac52
-
be7ac52
-CONFIG_MODULE_SIG_SHA512=y
be7ac52
-if [ -r .config ]
be7ac52
-then
be7ac52
-    . ./.config
be7ac52
-fi
be7ac52
-
be7ac52
-key="$1"
be7ac52
-x509="$2"
be7ac52
-src="$3"
be7ac52
-dst="$4"
be7ac52
-
be7ac52
-if [ ! -r "$key" ]
be7ac52
-then
be7ac52
-    echo "Can't read private key" >&2
be7ac52
-    exit 2
be7ac52
-fi
be7ac52
-
be7ac52
-if [ ! -r "$x509" ]
be7ac52
-then
be7ac52
-    echo "Can't read X.509 certificate" >&2
be7ac52
-    exit 2
be7ac52
-fi
be7ac52
-if [ ! -r "$x509.signer" ]
be7ac52
-then
be7ac52
-    echo "Can't read Signer name" >&2
be7ac52
-    exit 2;
be7ac52
-fi
be7ac52
-if [ ! -r "$x509.keyid" ]
be7ac52
-then
be7ac52
-    echo "Can't read Key identifier" >&2
be7ac52
-    exit 2;
be7ac52
-fi
be7ac52
-
be7ac52
-#
be7ac52
-# Signature parameters
be7ac52
-#
be7ac52
-algo=1		# Public-key crypto algorithm: RSA
be7ac52
-hash=		# Digest algorithm
be7ac52
-id_type=1	# Identifier type: X.509
be7ac52
-
be7ac52
-#
be7ac52
-# Digest the data
be7ac52
-#
be7ac52
-dgst=
be7ac52
-if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
be7ac52
-then
be7ac52
-    prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
be7ac52
-    dgst=-sha1
be7ac52
-    hash=2
be7ac52
-elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
be7ac52
-then
be7ac52
-    prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
be7ac52
-    dgst=-sha224
be7ac52
-    hash=7
be7ac52
-elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
be7ac52
-then
be7ac52
-    prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
be7ac52
-    dgst=-sha256
be7ac52
-    hash=4
be7ac52
-elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
be7ac52
-then
be7ac52
-    prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
be7ac52
-    dgst=-sha384
be7ac52
-    hash=5
be7ac52
-elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
be7ac52
-then
be7ac52
-    prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
be7ac52
-    dgst=-sha512
be7ac52
-    hash=6
be7ac52
-else
be7ac52
-    echo "$0: Can't determine hash algorithm" >&2
be7ac52
-    exit 2
be7ac52
-fi
be7ac52
-
be7ac52
-(
be7ac52
-perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
be7ac52
-openssl dgst $dgst -binary $src || exit $?
be7ac52
-) >$src.dig || exit $?
be7ac52
-
be7ac52
-#
be7ac52
-# Generate the binary signature, which will be just the integer that comprises
be7ac52
-# the signature with no metadata attached.
be7ac52
-#
be7ac52
-openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?
be7ac52
-signerlen=`stat -c %s $x509.signer`
be7ac52
-keyidlen=`stat -c %s $x509.keyid`
be7ac52
-siglen=`stat -c %s $src.sig`
be7ac52
-
be7ac52
-#
be7ac52
-# Build the signed binary
be7ac52
-#
be7ac52
-(
be7ac52
-    cat $src || exit $?
be7ac52
-    echo '~Module signature appended~' || exit $?
be7ac52
-    cat $x509.signer $x509.keyid || exit $?
be7ac52
-
be7ac52
-    # Preface each signature integer with a 2-byte BE length
be7ac52
-    perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
be7ac52
-    cat $src.sig || exit $?
be7ac52
-
be7ac52
-    # Generate the information block
be7ac52
-    perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
be7ac52
-) >$dst~ || exit $?
be7ac52
-
be7ac52
-# Permit in-place signing
be7ac52
-mv $dst~ $dst || exit $?
Josh Boyer f0f4ff2
-- 
be7ac52
1.7.12.1
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
be7ac52
From b29453cb9b235041f789c81b1982179acb6d3d06 Mon Sep 17 00:00:00 2001
Josh Boyer f0f4ff2
From: Josh Boyer <jwboyer@redhat.com>
Josh Boyer f0f4ff2
Date: Mon, 24 Sep 2012 10:46:36 -0400
be7ac52
Subject: [PATCH 2/2] MODSIGN: Add modules_sign make target
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
If CONFIG_MODULE_SIG is set, and 'make modules_sign' is called then this
Josh Boyer f0f4ff2
patch will cause the modules to get a signature installed.  The make target
Josh Boyer f0f4ff2
is intended to be run after 'make modules_install', and will modify the
Josh Boyer f0f4ff2
modules in-place in the installed location.
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
The signature will be appended to the module, along with some information
Josh Boyer f0f4ff2
about the signature size and a magic string that indicates the presence of
Josh Boyer f0f4ff2
the signature.  This requires private and public keys to be available.  By
Josh Boyer f0f4ff2
default these are expected to be found in files:
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
    signing_key.priv
Josh Boyer f0f4ff2
    signing_key.x509
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
in the base directory of the build.  The first is the private key in PEM
Josh Boyer f0f4ff2
form and the second is the X.509 certificate in DER form as can be generated
Josh Boyer f0f4ff2
from openssl:
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
    openssl req \
Josh Boyer f0f4ff2
            -new -x509 -outform PEM -out signing_key.x509 \
Josh Boyer f0f4ff2
            -keyout signing_key.priv -nodes \
Josh Boyer f0f4ff2
            -subj "/CN=H2G2/O=Magrathea/CN=Slartibartfast"
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
If the secret key is not found then signing will be skipped and the unsigned
Josh Boyer f0f4ff2
module from (1) will just be copied to foo.ko.
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
If signing occurs, lines like the following will be seen:
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
        SIGN [M] <install path>/fs/foo/foo.ko
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
will appear in the build log.  If the signature step will be skipped and the
Josh Boyer f0f4ff2
following will be seen:
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
        NO SIGN [M] <install path>/fs/foo/foo.ko
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
NOTE!  After the signature step, the signed module must not be passed through
Josh Boyer f0f4ff2
strip.  If you wish to strip or otherwise modify the kernel modules, use the
Josh Boyer f0f4ff2
built-in stripping capabilities with 'make modules_install' or perform said
Josh Boyer f0f4ff2
modifications before calling this make target.  This restriction may affect
Josh Boyer f0f4ff2
packaging tools (such as rpmbuild) and initramfs composition tools.
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
Based heavily on work by: David Howells <dhowells@redhat.com>
Josh Boyer f0f4ff2
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Josh Boyer f0f4ff2
---
Josh Boyer f0f4ff2
 Makefile                 |   6 +++
Josh Boyer f0f4ff2
 scripts/Makefile.modsign |  72 +++++++++++++++++++++++++++++
Josh Boyer f0f4ff2
 scripts/sign-file        | 115 +++++++++++++++++++++++++++++++++++++++++++++++
Josh Boyer f0f4ff2
 3 files changed, 193 insertions(+)
Josh Boyer f0f4ff2
 create mode 100644 scripts/Makefile.modsign
Josh Boyer f0f4ff2
 create mode 100644 scripts/sign-file
Josh Boyer f0f4ff2
Josh Boyer f0f4ff2
diff --git a/Makefile b/Makefile
be7ac52
index 5be2ee8..618cfbbf 100644
Josh Boyer f0f4ff2
--- a/Makefile
Josh Boyer f0f4ff2
+++ b/Makefile
be7ac52
@@ -968,6 +968,12 @@ _modinst_post: _modinst_
Josh Boyer f0f4ff2
 	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.fwinst obj=firmware __fw_modinst
Josh Boyer f0f4ff2
 	$(call cmd,depmod)
Josh Boyer f0f4ff2
 
Josh Boyer f0f4ff2
+ifeq ($(CONFIG_MODULE_SIG), y)
Josh Boyer f0f4ff2
+PHONY += modules_sign
Josh Boyer f0f4ff2
+modules_sign:
Josh Boyer f0f4ff2
+	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modsign
Josh Boyer f0f4ff2
+endif
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
 else # CONFIG_MODULES
Josh Boyer f0f4ff2
 
Josh Boyer f0f4ff2
 # Modules not configured
Josh Boyer f0f4ff2
diff --git a/scripts/Makefile.modsign b/scripts/Makefile.modsign
Josh Boyer f0f4ff2
new file mode 100644
Josh Boyer f0f4ff2
index 0000000..17326bc
Josh Boyer f0f4ff2
--- /dev/null
Josh Boyer f0f4ff2
+++ b/scripts/Makefile.modsign
Josh Boyer f0f4ff2
@@ -0,0 +1,72 @@
Josh Boyer f0f4ff2
+# ==========================================================================
Josh Boyer f0f4ff2
+# Signing modules
Josh Boyer f0f4ff2
+# ==========================================================================
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+PHONY := __modsign
Josh Boyer f0f4ff2
+__modsign:
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+include scripts/Kbuild.include
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+__modules := $(sort $(shell grep -h '\.ko' /dev/null $(wildcard $(MODVERDIR)/*.mod)))
Josh Boyer f0f4ff2
+modules := $(patsubst %.o,%.ko,$(wildcard $(__modules:.ko=.o)))
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+PHONY += $(modules)
Josh Boyer f0f4ff2
+__modsign: $(modules)
Josh Boyer f0f4ff2
+	@:
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+MODSECKEY = ./signing_key.priv
Josh Boyer f0f4ff2
+MODPUBKEY = ./signing_key.x509
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+ifeq ($(wildcard $(MODSECKEY))+$(wildcard $(MODPUBKEY)),$(MODSECKEY)+$(MODPUBKEY))
Josh Boyer f0f4ff2
+ifeq ($(KBUILD_SRC),)
Josh Boyer f0f4ff2
+       # no O= is being used
Josh Boyer f0f4ff2
+       SCRIPTS_DIR := scripts
Josh Boyer f0f4ff2
+else
Josh Boyer f0f4ff2
+       SCRIPTS_DIR := $(KBUILD_SRC)/scripts
Josh Boyer f0f4ff2
+endif
Josh Boyer f0f4ff2
+SIGN_MODULES := 1
Josh Boyer f0f4ff2
+else
Josh Boyer f0f4ff2
+SIGN_MODULES := 0
Josh Boyer f0f4ff2
+endif
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+# only sign if it's an in-tree module
Josh Boyer f0f4ff2
+ifneq ($(KBUILD_EXTMOD),)
Josh Boyer f0f4ff2
+SIGN_MODULES := 0
Josh Boyer f0f4ff2
+endif
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+ifeq ($(SIGN_MODULES),1)
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+quiet_cmd_genkeyid = GENKEYID $@
Josh Boyer f0f4ff2
+	cmd_genkeyid = \
Josh Boyer f0f4ff2
+		perl $(SCRIPTS_DIR)/x509keyid $< $<.signer $<.keyid
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+%.signer %.keyid: %
Josh Boyer f0f4ff2
+	$(call if_changed,genkeyid)
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+KEYRING_DEP := $(MODSECKEY) $(MODPUBKEY) $(MODPUBKEY).signer $(MODPUBKEY).keyid
Josh Boyer f0f4ff2
+quiet_cmd_sign_ko = SIGN [M] $(2)/$(notdir $@)
Josh Boyer f0f4ff2
+        cmd_sign_ko = \
Josh Boyer f0f4ff2
+		sh $(SCRIPTS_DIR)/sign-file $(MODSECKEY) $(MODPUBKEY) \
Josh Boyer f0f4ff2
+			$(2)/$(notdir $@) $(2)/$(notdir $@).signed && \
Josh Boyer f0f4ff2
+		mv $(2)/$(notdir $@).signed $(2)/$(notdir $@) && \
Josh Boyer f0f4ff2
+		rm -rf $(2)/$(notdir $@).{dig,sig}
Josh Boyer f0f4ff2
+else
Josh Boyer f0f4ff2
+KEYRING_DEP :=
Josh Boyer f0f4ff2
+quiet_cmd_sign_ko = NO SIGN [M] $@
Josh Boyer f0f4ff2
+      cmd_sign_ko = \
Josh Boyer f0f4ff2
+		true
Josh Boyer f0f4ff2
+endif
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+# Modules built outside the kernel source tree go into extra by default
Josh Boyer f0f4ff2
+INSTALL_MOD_DIR ?= extra
Josh Boyer f0f4ff2
+ext-mod-dir = $(INSTALL_MOD_DIR)$(subst $(patsubst %/,%,$(KBUILD_EXTMOD)),,$(@D))
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+modinst_dir = $(if $(KBUILD_EXTMOD),$(ext-mod-dir),kernel/$(@D))
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+$(modules): $(KEYRING_DEP)
Josh Boyer f0f4ff2
+	$(call cmd,sign_ko,$(MODLIB)/$(modinst_dir))
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+# Declare the contents of the .PHONY variable as phony.  We keep that
Josh Boyer f0f4ff2
+# # information in a variable se we can use it in if_changed and friends.
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+.PHONY: $(PHONY)
Josh Boyer f0f4ff2
diff --git a/scripts/sign-file b/scripts/sign-file
Josh Boyer f0f4ff2
new file mode 100644
be7ac52
index 0000000..e58e34e
Josh Boyer f0f4ff2
--- /dev/null
Josh Boyer f0f4ff2
+++ b/scripts/sign-file
Josh Boyer f0f4ff2
@@ -0,0 +1,115 @@
Josh Boyer f0f4ff2
+#!/bin/sh
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+# Sign a module file using the given key.
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+# Format: sign-file <key> <x509> <src-file> <dst-file>
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+scripts=`dirname $0`
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+CONFIG_MODULE_SIG_SHA512=y
Josh Boyer f0f4ff2
+if [ -r .config ]
Josh Boyer f0f4ff2
+then
be7ac52
+    . ./.config
Josh Boyer f0f4ff2
+fi
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+key="$1"
Josh Boyer f0f4ff2
+x509="$2"
Josh Boyer f0f4ff2
+src="$3"
Josh Boyer f0f4ff2
+dst="$4"
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+if [ ! -r "$key" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    echo "Can't read private key" >&2
Josh Boyer f0f4ff2
+    exit 2
Josh Boyer f0f4ff2
+fi
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+if [ ! -r "$x509" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    echo "Can't read X.509 certificate" >&2
Josh Boyer f0f4ff2
+    exit 2
Josh Boyer f0f4ff2
+fi
Josh Boyer f0f4ff2
+if [ ! -r "$x509.signer" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    echo "Can't read Signer name" >&2
Josh Boyer f0f4ff2
+    exit 2;
Josh Boyer f0f4ff2
+fi
Josh Boyer f0f4ff2
+if [ ! -r "$x509.keyid" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    echo "Can't read Key identifier" >&2
Josh Boyer f0f4ff2
+    exit 2;
Josh Boyer f0f4ff2
+fi
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+# Signature parameters
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+algo=1		# Public-key crypto algorithm: RSA
Josh Boyer f0f4ff2
+hash=		# Digest algorithm
Josh Boyer f0f4ff2
+id_type=1	# Identifier type: X.509
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+# Digest the data
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+dgst=
Josh Boyer f0f4ff2
+if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
Josh Boyer f0f4ff2
+    dgst=-sha1
Josh Boyer f0f4ff2
+    hash=2
Josh Boyer f0f4ff2
+elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
Josh Boyer f0f4ff2
+    dgst=-sha224
Josh Boyer f0f4ff2
+    hash=7
Josh Boyer f0f4ff2
+elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
Josh Boyer f0f4ff2
+    dgst=-sha256
Josh Boyer f0f4ff2
+    hash=4
Josh Boyer f0f4ff2
+elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
Josh Boyer f0f4ff2
+    dgst=-sha384
Josh Boyer f0f4ff2
+    hash=5
Josh Boyer f0f4ff2
+elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
Josh Boyer f0f4ff2
+then
Josh Boyer f0f4ff2
+    prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
Josh Boyer f0f4ff2
+    dgst=-sha512
Josh Boyer f0f4ff2
+    hash=6
Josh Boyer f0f4ff2
+else
Josh Boyer f0f4ff2
+    echo "$0: Can't determine hash algorithm" >&2
Josh Boyer f0f4ff2
+    exit 2
Josh Boyer f0f4ff2
+fi
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+(
Josh Boyer f0f4ff2
+perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
Josh Boyer f0f4ff2
+openssl dgst $dgst -binary $src || exit $?
Josh Boyer f0f4ff2
+) >$src.dig || exit $?
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+# Generate the binary signature, which will be just the integer that comprises
Josh Boyer f0f4ff2
+# the signature with no metadata attached.
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?
Josh Boyer f0f4ff2
+signerlen=`stat -c %s $x509.signer`
Josh Boyer f0f4ff2
+keyidlen=`stat -c %s $x509.keyid`
Josh Boyer f0f4ff2
+siglen=`stat -c %s $src.sig`
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+# Build the signed binary
Josh Boyer f0f4ff2
+#
Josh Boyer f0f4ff2
+(
Josh Boyer f0f4ff2
+    cat $src || exit $?
Josh Boyer f0f4ff2
+    echo '~Module signature appended~' || exit $?
Josh Boyer f0f4ff2
+    cat $x509.signer $x509.keyid || exit $?
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+    # Preface each signature integer with a 2-byte BE length
Josh Boyer f0f4ff2
+    perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
Josh Boyer f0f4ff2
+    cat $src.sig || exit $?
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+    # Generate the information block
Josh Boyer f0f4ff2
+    perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
Josh Boyer f0f4ff2
+) >$dst~ || exit $?
Josh Boyer f0f4ff2
+
Josh Boyer f0f4ff2
+# Permit in-place signing
Josh Boyer f0f4ff2
+mv $dst~ $dst || exit $?
Josh Boyer f0f4ff2
-- 
be7ac52
1.7.12.1
Josh Boyer 20accb4