summaryrefslogtreecommitdiff
path: root/scripts/sign-file
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-02-26 03:41:43 +0400
committerLinus Torvalds <torvalds@linux-foundation.org>2013-02-26 03:41:43 +0400
commit9043a2650cd21f96f831a97f516c2c302e21fb70 (patch)
tree926720afb0acc7bad8cfcae537dc58de552f9249 /scripts/sign-file
parentab7826595e9ec51a51f622c5fc91e2f59440481a (diff)
parentd9d8d7ed498ec65bea72dd24be7b9cd35af0c200 (diff)
downloadlinux-9043a2650cd21f96f831a97f516c2c302e21fb70.tar.xz
Merge tag 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux
Pull module update from Rusty Russell: "The sweeping change is to make add_taint() explicitly indicate whether to disable lockdep, but it's a mechanical change." * tag 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: MODSIGN: Add option to not sign modules during modules_install MODSIGN: Add -s <signature> option to sign-file MODSIGN: Specify the hash algorithm on sign-file command line MODSIGN: Simplify Makefile with a Kconfig helper module: clean up load_module a little more. modpost: Ignore ARC specific non-alloc sections module: constify within_module_* taint: add explicit flag to show whether lock dep is still OK. module: printk message when module signature fail taints kernel.
Diffstat (limited to 'scripts/sign-file')
-rwxr-xr-xscripts/sign-file134
1 files changed, 63 insertions, 71 deletions
diff --git a/scripts/sign-file b/scripts/sign-file
index 974a20b661b7..2b7c4484d46c 100755
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -2,51 +2,45 @@
#
# Sign a module file using the given key.
#
-# Format:
-#
-# ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]
-#
-#
+
+my $USAGE =
+"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
+" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
+
use strict;
use FileHandle;
use IPC::Open2;
+use Getopt::Std;
-my $verbose = 0;
-if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
- $verbose = 1;
- shift;
-}
+my %opts;
+getopts('vs:', \%opts) or die $USAGE;
+my $verbose = $opts{'v'};
+my $signature_file = $opts{'s'};
-die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n"
- if ($#ARGV != 2 && $#ARGV != 3);
+die $USAGE if ($#ARGV > 4);
+die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
-my $private_key = $ARGV[0];
-my $x509 = $ARGV[1];
-my $module = $ARGV[2];
-my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~";
+my $dgst = shift @ARGV;
+my $private_key;
+if (!$signature_file) {
+ $private_key = shift @ARGV;
+}
+my $x509 = shift @ARGV;
+my $module = shift @ARGV;
+my ($dest, $keep_orig);
+if (@ARGV) {
+ $dest = $ARGV[0];
+ $keep_orig = 1;
+} else {
+ $dest = $module . "~";
+}
-die "Can't read private key\n" unless (-r $private_key);
+die "Can't read private key\n" if (!$signature_file && !-r $private_key);
+die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
die "Can't read X.509 certificate\n" unless (-r $x509);
die "Can't read module\n" unless (-r $module);
#
-# Read the kernel configuration
-#
-my %config = (
- CONFIG_MODULE_SIG_SHA512 => 1
- );
-
-if (-r ".config") {
- open(FD, "<.config") || die ".config";
- while (<FD>) {
- if ($_ =~ /^(CONFIG_.*)=[ym]/) {
- $config{$1} = 1;
- }
- }
- close(FD);
-}
-
-#
# Function to read the contents of a file into a variable.
#
sub read_file($)
@@ -321,73 +315,71 @@ my $id_type = 1; # Identifier type: X.509
#
# Digest the data
#
-my ($dgst, $prologue) = ();
-if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) {
+my $prologue;
+if ($dgst eq "sha1") {
$prologue = pack("C*",
0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
0x2B, 0x0E, 0x03, 0x02, 0x1A,
0x05, 0x00, 0x04, 0x14);
- $dgst = "-sha1";
$hash = 2;
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) {
+} elsif ($dgst eq "sha224") {
$prologue = pack("C*",
0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
0x05, 0x00, 0x04, 0x1C);
- $dgst = "-sha224";
$hash = 7;
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) {
+} elsif ($dgst eq "sha256") {
$prologue = pack("C*",
0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
0x05, 0x00, 0x04, 0x20);
- $dgst = "-sha256";
$hash = 4;
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) {
+} elsif ($dgst eq "sha384") {
$prologue = pack("C*",
0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
0x05, 0x00, 0x04, 0x30);
- $dgst = "-sha384";
$hash = 5;
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) {
+} elsif ($dgst eq "sha512") {
$prologue = pack("C*",
0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
0x05, 0x00, 0x04, 0x40);
- $dgst = "-sha512";
$hash = 6;
} else {
- die "Can't determine hash algorithm";
+ die "Unknown hash algorithm: $dgst\n";
}
-#
-# Generate the digest and read from openssl's stdout
-#
-my $digest;
-$digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst";
-
-#
-# Generate the binary signature, which will be just the integer that comprises
-# the signature with no metadata attached.
-#
-my $pid;
-$pid = open2(*read_from, *write_to,
- "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
- die "openssl rsautl";
-binmode write_to;
-print write_to $prologue . $digest || die "pipe to openssl rsautl";
-close(write_to) || die "pipe to openssl rsautl";
-
-binmode read_from;
my $signature;
-read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
-close(read_from) || die "pipe from openssl rsautl";
+if ($signature_file) {
+ $signature = read_file($signature_file);
+} else {
+ #
+ # Generate the digest and read from openssl's stdout
+ #
+ my $digest;
+ $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
+
+ #
+ # Generate the binary signature, which will be just the integer that
+ # comprises the signature with no metadata attached.
+ #
+ my $pid;
+ $pid = open2(*read_from, *write_to,
+ "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+ die "openssl rsautl";
+ binmode write_to;
+ print write_to $prologue . $digest || die "pipe to openssl rsautl";
+ close(write_to) || die "pipe to openssl rsautl";
+
+ binmode read_from;
+ read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
+ close(read_from) || die "pipe from openssl rsautl";
+ waitpid($pid, 0) || die;
+ die "openssl rsautl died: $?" if ($? >> 8);
+}
$signature = pack("n", length($signature)) . $signature,
-waitpid($pid, 0) || die;
-die "openssl rsautl died: $?" if ($? >> 8);
-
#
# Build the signed binary
#
@@ -424,6 +416,6 @@ print FD
;
close FD || die $dest;
-if ($#ARGV != 3) {
+if (!$keep_orig) {
rename($dest, $module) || die $module;
}