| Message ID | 20241002133837.1030094-1-fam.zheng@bytedance.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | sign-file: Add -D "digest mode" | expand |
Hi Fam, kernel test robot noticed the following build errors: [auto build test ERROR on linus/master] [also build test ERROR on v6.12-rc1 next-20241003] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Fam-Zheng/sign-file-Add-D-digest-mode/20241002-215025 base: linus/master patch link: https://lore.kernel.org/r/20241002133837.1030094-1-fam.zheng%40bytedance.com patch subject: [PATCH] sign-file: Add -D "digest mode" config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20241004/202410041509.PbZBKm0L-lkp@intel.com/config) compiler: clang version 20.0.0git (https://github.com/llvm/llvm-project fef3566a25ff0e34fb87339ba5e13eca17cec00f) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241004/202410041509.PbZBKm0L-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410041509.PbZBKm0L-lkp@intel.com/ All errors (new ones prefixed by >>): WARNING: unmet direct dependencies detected for GET_FREE_REGION Depends on [n]: SPARSEMEM [=n] Selected by [m]: - RESOURCE_KUNIT_TEST [=m] && RUNTIME_TESTING_MENU [=y] && KUNIT [=m] >> scripts/sign-file.c:357:8: error: call to undeclared function 'CMS_final_digest'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 357 | ERR(CMS_final_digest(cms, digest_bin, digest_len, NULL, CMS_NOCERTS | CMS_BINARY) != 1, | ^ 1 error generated. make[3]: *** [scripts/Makefile.host:116: scripts/sign-file] Error 1 make[3]: Target 'scripts/' not remade because of errors. make[2]: *** [Makefile:1187: scripts] Error 2 make[2]: Target 'prepare' not remade because of errors. make[1]: *** [Makefile:224: __sub-make] Error 2 make[1]: Target 'prepare' not remade because of errors. make: *** [Makefile:224: __sub-make] Error 2 make: Target 'prepare' not remade because of errors. Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for MODVERSIONS Depends on [n]: MODULES [=y] && !COMPILE_TEST [=y] Selected by [y]: - RANDSTRUCT_FULL [=y] && (CC_HAS_RANDSTRUCT [=y] || GCC_PLUGINS [=n]) && MODULES [=y] WARNING: unmet direct dependencies detected for GET_FREE_REGION Depends on [n]: SPARSEMEM [=n] Selected by [m]: - RESOURCE_KUNIT_TEST [=m] && RUNTIME_TESTING_MENU [=y] && KUNIT [=m] vim +/CMS_final_digest +357 scripts/sign-file.c 329 330 if (!raw_sig) { 331 /* Read the private key and the X.509 cert the PKCS#7 message 332 * will point to. 333 */ 334 private_key = read_private_key(private_key_name); 335 x509 = read_x509(x509_name); 336 337 /* Digest the module data. */ 338 OpenSSL_add_all_digests(); 339 drain_openssl_errors(__LINE__, 0); 340 digest_algo = EVP_get_digestbyname(hash_algo); 341 ERR(!digest_algo, "EVP_get_digestbyname"); 342 343 #ifndef USE_PKCS7 344 /* Load the signature message from the digest buffer. */ 345 cms = CMS_sign(NULL, NULL, NULL, NULL, 346 CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | 347 CMS_DETACHED | CMS_STREAM); 348 ERR(!cms, "CMS_sign"); 349 350 ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, 351 CMS_NOCERTS | CMS_BINARY | 352 CMS_NOSMIMECAP | use_keyid | 353 (digest_mode ? CMS_KEY_PARAM : 0) | 354 use_signed_attrs), 355 "CMS_add1_signer"); 356 if (digest_mode) > 357 ERR(CMS_final_digest(cms, digest_bin, digest_len, NULL, CMS_NOCERTS | CMS_BINARY) != 1, 358 "CMS_final_digest"); 359 else 360 ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1, 361 "CMS_final"); 362
Hi Fam, kernel test robot noticed the following build warnings: [auto build test WARNING on linus/master] [also build test WARNING on v6.12-rc1 next-20241004] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Fam-Zheng/sign-file-Add-D-digest-mode/20241002-215025 base: linus/master patch link: https://lore.kernel.org/r/20241002133837.1030094-1-fam.zheng%40bytedance.com patch subject: [PATCH] sign-file: Add -D "digest mode" config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20241004/202410042115.WT7VlS8U-lkp@intel.com/config) compiler: alpha-linux-gcc (GCC) 13.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241004/202410042115.WT7VlS8U-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410042115.WT7VlS8U-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from scripts/sign-file.c:40: scripts/sign-file.c: In function 'main': >> scripts/sign-file.c:357:29: warning: implicit declaration of function 'CMS_final_digest' [-Wimplicit-function-declaration] 357 | ERR(CMS_final_digest(cms, digest_bin, digest_len, NULL, CMS_NOCERTS | CMS_BINARY) != 1, | ^~~~~~~~~~~~~~~~ scripts/ssl-common.h:27:32: note: in definition of macro 'ERR' 27 | bool __cond = (cond); \ | ^~~~ -- In file included from scripts/sign-file.c:40: scripts/sign-file.c: In function 'main': >> scripts/sign-file.c:357:29: warning: implicit declaration of function 'CMS_final_digest' [-Wimplicit-function-declaration] 357 | ERR(CMS_final_digest(cms, digest_bin, digest_len, NULL, CMS_NOCERTS | CMS_BINARY) != 1, | ^~~~~~~~~~~~~~~~ scripts/ssl-common.h:27:32: note: in definition of macro 'ERR' 27 | bool __cond = (cond); \ | ^~~~ vim +/CMS_final_digest +357 scripts/sign-file.c 329 330 if (!raw_sig) { 331 /* Read the private key and the X.509 cert the PKCS#7 message 332 * will point to. 333 */ 334 private_key = read_private_key(private_key_name); 335 x509 = read_x509(x509_name); 336 337 /* Digest the module data. */ 338 OpenSSL_add_all_digests(); 339 drain_openssl_errors(__LINE__, 0); 340 digest_algo = EVP_get_digestbyname(hash_algo); 341 ERR(!digest_algo, "EVP_get_digestbyname"); 342 343 #ifndef USE_PKCS7 344 /* Load the signature message from the digest buffer. */ 345 cms = CMS_sign(NULL, NULL, NULL, NULL, 346 CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | 347 CMS_DETACHED | CMS_STREAM); 348 ERR(!cms, "CMS_sign"); 349 350 ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, 351 CMS_NOCERTS | CMS_BINARY | 352 CMS_NOSMIMECAP | use_keyid | 353 (digest_mode ? CMS_KEY_PARAM : 0) | 354 use_signed_attrs), 355 "CMS_add1_signer"); 356 if (digest_mode) > 357 ERR(CMS_final_digest(cms, digest_bin, digest_len, NULL, CMS_NOCERTS | CMS_BINARY) != 1, 358 "CMS_final_digest"); 359 else 360 ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1, 361 "CMS_final"); 362
diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 7070245edfc1..29e1aa798f54 100644 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -56,6 +56,9 @@ defined(OPENSSL_NO_CMS) #define USE_PKCS7 #endif +#if OPENSSL_VERSION_NUMBER > 0x30200000L +#define HAS_CMS_final_digest 1 +#endif #ifndef USE_PKCS7 #include <openssl/cms.h> #else @@ -80,9 +83,9 @@ static __attribute__((noreturn)) void format(void) { fprintf(stderr, - "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n"); + "Usage: scripts/sign-file [-dpD] <hash algo> <key> <x509> <file> [<dest>]\n"); fprintf(stderr, - " scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]\n"); + " scripts/sign-file -s <raw sig> <hash algo> <x509> <file> [<dest>]\n"); exit(2); } @@ -229,6 +232,9 @@ int main(int argc, char **argv) unsigned char buf[4096]; unsigned long module_size, sig_size; unsigned int use_signed_attrs; + bool digest_mode = false; + unsigned char digest_bin[4096]; + long digest_len; const EVP_MD *digest_algo; EVP_PKEY *private_key; #ifndef USE_PKCS7 @@ -253,11 +259,20 @@ int main(int argc, char **argv) #endif do { - opt = getopt(argc, argv, "sdpk"); + opt = getopt(argc, argv, "sdpkD"); switch (opt) { case 's': raw_sig = true; break; case 'p': save_sig = true; break; case 'd': sign_only = true; save_sig = true; break; + case 'D': +#ifdef HAS_CMS_final_digest + digest_mode = true; + break; +#else + fprintf(stderr, "digest signing is not supported by the openssl version in use\n"); + exit(3); + break; +#endif #ifndef USE_PKCS7 case 'k': use_keyid = CMS_USE_KEYID; break; #endif @@ -301,6 +316,17 @@ int main(int argc, char **argv) bm = BIO_new_file(module_name, "rb"); ERR(!bm, "%s", module_name); +#ifdef HAS_CMS_final_digest + if (digest_mode) { + digest_len = BIO_read(bm, digest_bin, sizeof(digest_bin)); + if (digest_len >= sizeof(digest_bin)) { + fprintf(stderr, "sign-file: Digest file too large (max %ld)\n", sizeof(digest_bin)); + exit(3); + } + ERR(BIO_reset(bm) < 0, "%s", module_name); + } +#endif + if (!raw_sig) { /* Read the private key and the X.509 cert the PKCS#7 message * will point to. @@ -324,10 +350,15 @@ int main(int argc, char **argv) ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP | use_keyid | + (digest_mode ? CMS_KEY_PARAM : 0) | use_signed_attrs), "CMS_add1_signer"); - ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1, - "CMS_final"); + if (digest_mode) + ERR(CMS_final_digest(cms, digest_bin, digest_len, NULL, CMS_NOCERTS | CMS_BINARY) != 1, + "CMS_final_digest"); + else + ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1, + "CMS_final"); #else pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
This allows the command to sign by a binary digest file, instead of the original ko file. Combined with the -p (save_sig), we can now split module building (e.g. dkms) and module signing into different steps and environments, while _not_ requiring copying the whole module file back and forth. Example usage: 1. On host side: mod=ip6_gre.ko openssl dgst -binary -sha256 $mod > $mod.digest 2. Send $mod.digest over to a signing service 3. On the server side, sign the digest using new mode: ./sign-file -dpD sha256 private_key.pem cert.pem $mod.digest 4. Server returns the signature (it will be named $mod.digest.p7s) in binary 5. Client uses the returned signature to sign the ko locally: ./sign-file -s signature sha256 cert.pem $mod Signed-off-by: Fam Zheng <fam.zheng@bytedance.com> --- scripts/sign-file.c | 41 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-)