Re: [PATCH 2/5] keys: generate self-signed module signing key using CSR

From: Nayna
Date: Thu Feb 18 2021 - 17:04:16 EST


On 2/11/21 5:01 PM, Stefan Berger wrote:
On 2/11/21 2:54 PM, Nayna Jain wrote:
Loading a key on the IMA trusted keyring requires the key be signed
by an existing key on the builtin or secondary trusted keyring.
Creating a Certificate Signing Request (CSR) allows the certificate
to be self-signed or signed by a CA.

This patch generates a self-signed module signing key using CSR.

Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
---
  Makefile       |  3 ++-
  certs/Makefile | 15 +++++++++++----
  2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index af18aab6bbee..9c87fdd600d8 100644
--- a/Makefile
+++ b/Makefile
@@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated          \
            .config .config.old .version \
            Module.symvers \
            certs/signing_key.pem certs/signing_key.x509 \
-          certs/x509.genkey \
+          certs/x509.genkey certs/signing_key.key \
+          certs/signing_key.crt certs/signing_key.csr \
            vmlinux-gdb.py \
            *.spec
  diff --git a/certs/Makefile b/certs/Makefile
index f4c25b67aad9..b2be7eb413d3 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
      @$(kecho) "### needs to be run as root, and uses a hardware random"
      @$(kecho) "### number generator if one is available."
      @$(kecho) "###"
-    $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-        -batch -x509 -config $(obj)/x509.genkey \
-        -outform PEM -out $(obj)/signing_key.pem \
-        -keyout $(obj)/signing_key.pem \
+    $(Q)openssl req -new -nodes -utf8 \
+        -batch -config $(obj)/x509.genkey \
+        -outform PEM -out $(obj)/signing_key.csr \
+        -keyout $(obj)/signing_key.key -extensions myexts \
          $($(quiet)redirect_openssl)
+    $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
+        -outform PEM -out $(obj)/signing_key.crt \
+        -signkey $(obj)/signing_key.key \
+        -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
+        -extfile $(obj)/x509.genkey \
+        $($(quiet)redirect_openssl)
+    @cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem


Could you not just rename signing_key.key to signing_key.pem (as it was before) and that would be it? Why do you need the .crt in that pem bundle?

I had also thought so, but the PEM file contains both the private key and the certificate. I found the reasoning in the commit "fb1179499134 modsign: Use single PEM file for autogenerated key". I addressed your other feedback in v2, posted just now.

Thanks & Regards,

      - Nayna