• David Howells's avatar
    PKCS#7: Add an optional authenticated attribute to hold firmware name · c9d611f0
    David Howells authored
    Modify the sign-file program to take a "-F <firmware name>" parameter.  The
    name is a utf8 string that, if given, is inserted in a PKCS#7 authenticated
    attribute from where it can be extracted by the kernel.  Authenticated
    attributes are added to the signature digest.
    
    If the attribute is present, the signature would be assumed to be for
    firmware and would not be permitted with module signing or kexec.  The name
    associated with the attribute would be compared to the name passed to
    request_firmware() and the load request would be denied if they didn't
    match.
    
    If not present, the signature would be rejected if used for firmware.
    
    One oddity is that the attribute is per-signature, so if a second signature
    was added (which PKCS#7 supports), it would have to have the attribute added
    separately to that signature also.
    
    The kernel then parses this out, saves the string and makes sure the same
    string (or lack thereof) is present from all signers.  Then when
    system_verify_data() is called, it is passed a NULL if the attribute is
    expected not to be present and the name from request_firmware() if it is
    expected to be present.  Verification is rejected if there's a mismatch.
    
    I have allocated an type OID for this attribute from Red Hat OID space:
    
    	1.3.6.1.4.1.2312.16	Linux kernel
    	1.3.6.1.4.1.2312.16.2	- PKCS#7/CMS SignerInfo attribute types
    	1.3.6.1.4.1.2312.16.2.1	  - firmwareName
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    c9d611f0
pkcs7_parser.c 14.5 KB