kbuild: sign the modules at install time

export mod_strip_cmd

ifeq ($(CONFIG_MODULE_SIG),y)

MODSECKEY = ./signing_key.priv

MODPUBKEY = ./signing_key.x509

export MODPUBKEY

mod_sign_cmd = sh $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY) $(srctree)/scripts/x509keyid

else

mod_sign_cmd = true

endif

export mod_sign_cmd

ifeq ($(KBUILD_EXTMOD),)

core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/

	@:

quiet_cmd_modules_install = INSTALL $@

      cmd_modules_install = mkdir -p $(2); cp $@ $(2) ; $(mod_strip_cmd) $(2)/$(notdir $@)

      cmd_modules_install = mkdir -p $(2); cp $@ $(2) ; $(mod_strip_cmd) $(2)/$(notdir $@) ; $(mod_sign_cmd) $(2)/$(notdir $@)

# Modules built outside the kernel source tree go into extra by default

INSTALL_MOD_DIR ?= extra

# 3)  create one <module>.mod.c file pr. module

# 4)  create one Module.symvers file with CRC for all exported symbols

# 5) compile all <module>.mod.c files

# 6) final link of the module to a <module.ko> (or <module.unsigned>) file

# 7) signs the modules to a <module.ko> file

# 6) final link of the module to a <module.ko> file

# Step 3 is used to place certain information in the module's ELF

# section, including information such as:

# Step 4 is solely used to allow module versioning in external modules,

# where the CRC of each module is retrieved from the Module.symvers file.

# Step 7 is dependent on CONFIG_MODULE_SIG being enabled.

# KBUILD_MODPOST_WARN can be set to avoid error out in case of undefined

# symbols in the final module linking stage

# KBUILD_MODPOST_NOFINAL can be set to skip the final link of modules.

targets += $(modules:.ko=.mod.o)

# Step 6), final link of the modules

ifneq ($(CONFIG_MODULE_SIG),y)

quiet_cmd_ld_ko_o = LD [M]  $@

      cmd_ld_ko_o = $(LD) -r $(LDFLAGS)                                 \

                             $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \

	$(call if_changed,ld_ko_o)

targets += $(modules)

else

quiet_cmd_ld_ko_unsigned_o = LD [M]  $@

      cmd_ld_ko_unsigned_o =						\

		$(LD) -r $(LDFLAGS)					\

			 $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE)	\

			 -o $@ $(filter-out FORCE,$^)			\

		$(if $(AFTER_LINK),; $(AFTER_LINK))

$(modules:.ko=.ko.unsigned): %.ko.unsigned :%.o %.mod.o FORCE

	$(call if_changed,ld_ko_unsigned_o)

targets += $(modules:.ko=.ko.unsigned)

# Step 7), sign the modules

MODSECKEY = ./signing_key.priv

MODPUBKEY = ./signing_key.x509

ifeq ($(wildcard $(MODSECKEY))+$(wildcard $(MODPUBKEY)),$(MODSECKEY)+$(MODPUBKEY))

ifeq ($(KBUILD_SRC),)

	# no O= is being used

	SCRIPTS_DIR := scripts

else

	SCRIPTS_DIR := $(KBUILD_SRC)/scripts

endif

SIGN_MODULES := 1

else

SIGN_MODULES := 0

endif

# only sign if it's an in-tree module

ifneq ($(KBUILD_EXTMOD),)

SIGN_MODULES := 0

endif

# We strip the module as best we can - note that using both strip and eu-strip

# results in a smaller module than using either alone.

EU_STRIP = $(shell which eu-strip || echo true)

quiet_cmd_sign_ko_stripped_ko_unsigned = STRIP [M] $@

      cmd_sign_ko_stripped_ko_unsigned = \

		cp $< $@ && \

		strip -x -g $@ && \

		$(EU_STRIP) $@

ifeq ($(SIGN_MODULES),1)

quiet_cmd_genkeyid = GENKEYID $@

      cmd_genkeyid = \

		perl $(SCRIPTS_DIR)/x509keyid $< $<.signer $<.keyid

%.signer %.keyid: %

	$(call if_changed,genkeyid)

KEYRING_DEP := $(MODSECKEY) $(MODPUBKEY) $(MODPUBKEY).signer $(MODPUBKEY).keyid

quiet_cmd_sign_ko_ko_stripped = SIGN [M] $@

      cmd_sign_ko_ko_stripped = \

		sh $(SCRIPTS_DIR)/sign-file $(MODSECKEY) $(MODPUBKEY) $< $@

else

KEYRING_DEP :=

quiet_cmd_sign_ko_ko_unsigned = NO SIGN [M] $@

      cmd_sign_ko_ko_unsigned = \

		cp $< $@

endif

$(modules): %.ko :%.ko.stripped $(KEYRING_DEP) FORCE

	$(call if_changed,sign_ko_ko_stripped)

$(patsubst %.ko,%.ko.stripped,$(modules)): %.ko.stripped :%.ko.unsigned FORCE

	$(call if_changed,sign_ko_stripped_ko_unsigned)

targets += $(modules)

endif

# Add FORCE to the prequisites of a target to force it to be always rebuilt.

# ---------------------------------------------------------------------------

#!/bin/sh

#!/bin/bash

#

# Sign a module file using the given key.

#

# Format: sign-file <key> <x509> <src-file> <dst-file>

# Format: sign-file <key> <x509> <keyid-script> <module>

#

scripts=`dirname $0`

key="$1"

x509="$2"

src="$3"

dst="$4"

keyid_script="$3"

mod="$4"

if [ ! -r "$key" ]

then

    echo "Can't read X.509 certificate" >&2

    exit 2

fi

if [ ! -r "$x509.signer" ]

then

    echo "Can't read Signer name" >&2

    exit 2;

fi

if [ ! -r "$x509.keyid" ]

then

    echo "Can't read Key identifier" >&2

    exit 2;

fi

#

# Signature parameters

(

perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?

openssl dgst $dgst -binary $src || exit $?

) >$src.dig || exit $?

openssl dgst $dgst -binary $mod || exit $?

) >$mod.dig || exit $?

#

# Generate the binary signature, which will be just the integer that comprises

# the signature with no metadata attached.

#

openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?

signerlen=`stat -c %s $x509.signer`

keyidlen=`stat -c %s $x509.keyid`

siglen=`stat -c %s $src.sig`

openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $?

SIGNER="`perl $keyid_script $x509 signer-name`"

KEYID="`perl $keyid_script $x509 keyid`"

keyidlen=${#KEYID}

siglen=${#SIGNER}

#

# Build the signed binary

#

(

    cat $src || exit $?

    cat $mod || exit $?

    echo '~Module signature appended~' || exit $?

    cat $x509.signer $x509.keyid || exit $?

    echo -n "$SIGNER" || exit $?

    echo -n "$KEYID" || exit $?

    # Preface each signature integer with a 2-byte BE length

    perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?

    cat $src.sig || exit $?

    cat $mod.sig || exit $?

    # Generate the information block

    perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?

) >$dst~ || exit $?

) >$mod~ || exit $?

# Permit in-place signing

mv $dst~ $dst || exit $?

mv $mod~ $mod || exit $?

my $raw_data;

die "Need three filenames\n" if ($#ARGV != 2);

die "Need a filename [keyid|signer-name]\n" if ($#ARGV != 1);

my $src = $ARGV[0];

my $id_key_id = asn1_retrieve($subject_key_id->[1]);

open(OUTFD, ">$ARGV[1]") || die $ARGV[1];

print OUTFD $id_name;

close OUTFD || die $ARGV[1];

open(OUTFD, ">$ARGV[2]") || die $ARGV[2];

print OUTFD $id_key_id;

close OUTFD || die $ARGV[2];

if ($ARGV[1] eq "signer-name") {

    print $id_name;

} elsif ($ARGV[1] eq "keyid") {

    print $id_key_id;

} else {

    die "Unknown arg";

}