[PATCH v2] sign-file: add openssl engine support

From: Yang Song
Date: Thu Feb 18 2021 - 07:06:18 EST


Use a customized signature service supported by openssl engine
to sign the kernel module.
Add command line parameters that support engine for sign-file
to use the customized openssl engine service to sign kernel modules.

Signed-off-by: Yang Song <songyang@xxxxxxxxxxxxxxxxx>
---
scripts/sign-file.c | 54 +++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 52 insertions(+), 2 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f57..897976c859da 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -70,7 +70,7 @@ static __attribute__((noreturn))
void format(void)
{
fprintf(stderr,
- "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
+ "Usage: scripts/sign-file [-dp] [-e <openssl engine>] <hash algo> <key> <x509> <module> [<dest>]\n");
fprintf(stderr,
" scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]\n");
exit(2);
@@ -206,9 +206,52 @@ static X509 *read_x509(const char *x509_name)
return x509;
}

+/* Try to load an engine in a shareable library */
+static ENGINE *try_load_engine(const char *engine)
+{
+ ENGINE *e = NULL;
+
+ e = ENGINE_by_id("dynamic");
+ if (e) {
+ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
+ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
+ ENGINE_free(e);
+ e = NULL;
+ }
+ }
+ return e;
+}
+
+static ENGINE *setup_engine(const char *engine)
+{
+ ENGINE *e = NULL;
+
+ if (engine) {
+ e = ENGINE_by_id(engine);
+ if (e == NULL) {
+ e = try_load_engine(engine);
+ if (e == NULL) {
+ ERR(1, "Invalid engine \"%s\"\n", engine);
+ return NULL;
+ }
+ }
+
+ if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+ ERR(1, "Can't use that engine\n");
+ ENGINE_free(e);
+ return NULL;
+ }
+
+ fprintf(stdout, "Engine \"%s\" set.\n", ENGINE_get_id(e));
+ }
+
+ return e;
+}
+
int main(int argc, char **argv)
{
struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
+ char *ossl_engine = NULL;
char *hash_algo = NULL;
char *private_key_name = NULL, *raw_sig_name = NULL;
char *x509_name, *module_name, *dest_name;
@@ -242,8 +285,9 @@ int main(int argc, char **argv)
#endif

do {
- opt = getopt(argc, argv, "sdpk");
+ opt = getopt(argc, argv, "se:dpk");
switch (opt) {
+ case 'e': ossl_engine = optarg; break;
case 's': raw_sig = true; break;
case 'p': save_sig = true; break;
case 'd': sign_only = true; save_sig = true; break;
@@ -291,6 +335,12 @@ int main(int argc, char **argv)
ERR(!bm, "%s", module_name);

if (!raw_sig) {
+ if (ossl_engine != NULL) {
+ /* Engine setup */
+ ENGINE_load_builtin_engines();
+ setup_engine(ossl_engine);
+ }
+
/* Read the private key and the X.509 cert the PKCS#7 message
* will point to.
*/
--
2.19.1.3.ge56e4f7