modsign: Allow external signing key to be specified

     than being a module) so that modules signed with that algorithm can have

     their signatures checked without causing a dependency loop.

 (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)

     Setting this option to something other than its default of

     "signing_key.priv" will disable the autogeneration of signing keys and

     allow the kernel modules to be signed with a key of your choosing.

     The string provided should identify a file containing a private key

     in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11 is

     appropriately installed — a PKCS#11 URI as defined by RFC7512.

     If the PEM file containing the private key is encrypted, or if the

     PKCS#11 token requries a PIN, this can be provided at build time by

     means of the KBUILD_SIGN_PIN variable.

     The corresponding X.509 certificate in DER form should still be placed

     in a file named signing_key.x509 in the top-level build directory.

=======================

GENERATING SIGNING KEYS

kernel so that it can be used to check the signatures as the modules are

loaded.

Under normal conditions, the kernel build will automatically generate a new

keypair using openssl if one does not exist in the files:

Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its

default of "signing_key.priv", the kernel build will automatically generate

a new keypair using openssl if one does not exist in the files:

	signing_key.priv

	signing_key.x509

generate the public/private key files:

	openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \

	   -config x509.genkey -outform DER -out signing_key.x509 \

	   -keyout signing_key.priv

	   -config x509.genkey -outform PEM -out kernel_key.pem \

	   -keyout kernel_key.pem

The full pathname for the resulting kernel_key.pem file can then be specified

in the CONFIG_MODULE_SIG_KEY option, and the certificate and key therein will

be used instead of an autogenerated keypair.

=========================

the Linux kernel source tree.  The script requires 4 arguments:

	1.  The hash algorithm (e.g., sha256)

	2.  The private key filename

	2.  The private key filename or PKCS#11 URI

	3.  The public key filename

	4.  The kernel module to be signed

# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)

ifdef CONFIG_MODULE_SIG_ALL

MODSECKEY = ./signing_key.priv

MODSECKEY = $(CONFIG_MODULE_SIG_KEY)

MODPUBKEY = ./signing_key.x509

export MODPUBKEY

mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)

	default "sha384" if MODULE_SIG_SHA384

	default "sha512" if MODULE_SIG_SHA512

config MODULE_SIG_KEY

	string "File name or PKCS#11 URI of module signing key"

	default "signing_key.priv"

	depends on MODULE_SIG

	help

         Provide the file name of a private key in PKCS#8 PEM format, or

         a PKCS#11 URI according to RFC7512. The corresponding X.509

         certificate in DER form should be present in signing_key.x509

         in the top-level build directory.

         If this option is unchanged from its default "signing_key.priv",

         then the kernel will automatically generate the private key and

         certificate as described in Documentation/module-signing.txt

config MODULE_COMPRESS

	bool "Compress modules on installation"

	depends on MODULES

$(error Could not determine digest type to use from kernel config)

endif

# We do it this way rather than having a boolean option for enabling an

# external private key, because 'make randconfig' might enable such a

# boolean option and we unfortunately can't make it depend on !RANDCONFIG.

ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")

signing_key.priv signing_key.x509: x509.genkey

	@echo "###"

	@echo "### Now generating an X.509 key pair to be used for signing modules."

	@echo >>x509.genkey "subjectKeyIdentifier=hash"

	@echo >>x509.genkey "authorityKeyIdentifier=keyid"

endif

endif