1
linux/init
David Howells 48ba2462ac MODSIGN: Implement module signature checking
Check the signature on the module against the keys compiled into the kernel or
available in a hardware key store.

Currently, only RSA keys are supported - though that's easy enough to change,
and the signature is expected to contain raw components (so not a PGP or
PKCS#7 formatted blob).

The signature blob is expected to consist of the following pieces in order:

 (1) The binary identifier for the key.  This is expected to match the
     SubjectKeyIdentifier from an X.509 certificate.  Only X.509 type
     identifiers are currently supported.

 (2) The signature data, consisting of a series of MPIs in which each is in
     the format of a 2-byte BE word sizes followed by the content data.

 (3) A 12 byte information block of the form:

	struct module_signature {
		enum pkey_algo		algo : 8;
		enum pkey_hash_algo	hash : 8;
		enum pkey_id_type	id_type : 8;
		u8			__pad;
		__be32			id_length;
		__be32			sig_length;
	};

     The three enums are defined in crypto/public_key.h.

     'algo' contains the public-key algorithm identifier (0->DSA, 1->RSA).

     'hash' contains the digest algorithm identifier (0->MD4, 1->MD5, 2->SHA1,
      etc.).

     'id_type' contains the public-key identifier type (0->PGP, 1->X.509).

     '__pad' should be 0.

     'id_length' should contain in the binary identifier length in BE form.

     'sig_length' should contain in the signature data length in BE form.

     The lengths are in BE order rather than CPU order to make dealing with
     cross-compilation easier.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (minor Kconfig fix)
2012-10-10 20:06:10 +10:30
..
calibrate.c init: check printed flag to skip printing message 2012-03-23 16:58:38 -07:00
do_mounts_initrd.c init: disable sparse checking of the mount.o source files 2012-05-31 17:49:27 -07:00
do_mounts_md.c init: disable sparse checking of the mount.o source files 2012-05-31 17:49:27 -07:00
do_mounts_rd.c init: disable sparse checking of the mount.o source files 2012-05-31 17:49:27 -07:00
do_mounts.c init: disable sparse checking of the mount.o source files 2012-05-31 17:49:27 -07:00
do_mounts.h
init_task.c init_task: Create generic init_task instance 2012-05-05 13:00:21 +02:00
initramfs.c init: disable sparse checking of the mount.o source files 2012-05-31 17:49:27 -07:00
Kconfig MODSIGN: Implement module signature checking 2012-10-10 20:06:10 +10:30
main.c Revert "x86-64/efi: Use EFI to deal with platform wall clock" 2012-08-14 09:58:25 -07:00
Makefile init_task: Replace CONFIG_HAVE_GENERIC_INIT_TASK 2012-05-05 13:00:46 +02:00
noinitramfs.c init: mark __user address space on string literals 2010-10-26 16:52:15 -07:00
version.c userns: add a user_namespace as creator/owner of uts_namespace 2011-03-23 19:46:59 -07:00