• David Howells's avatar
    MODSIGN: Provide a utility to append a PKCS#7 signature to a module · c2befccb
    David Howells authored
    Provide a utility that:
    
     (1) Digests a module using the specified hash algorithm (typically sha256).
    
         [The digest can be dumped into a file by passing the '-d' flag]
    
     (2) Generates a PKCS#7 message that:
    
         (a) Has detached data (ie. the module content).
    
         (b) Is signed with the specified private key.
    
         (c) Refers to the specified X.509 certificate.
    
         (d) Has an empty X.509 certificate list.
    
         [The PKCS#7 message can be dumped into a file by passing the '-p' flag]
    
     (3) Generates a signed module by concatenating the old module, the PKCS#7
         message, a descriptor and a magic string.  The descriptor contains the
         size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7.
    
     (4) Either writes the signed module to the specified destination or renames
         it over the source module.
    
    This allows module signing to reuse the PKCS#7 handling code that was added
    for PE file parsing for signed kexec.
    
    Note that the utility is written in C and must be linked against the OpenSSL
    crypto library.
    
    Note further that I have temporarily dropped support for handling externally
    created signatures until we can work out the best way to do those.  Hopefully,
    whoever creates the signature can give me a PKCS#7 certificate.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: default avatarVivek Goyal <vgoyal@redhat.com>
    c2befccb
sign-file.c 5.35 KB