diff --git a/0001-sign-file-full-functionality-with-modern-LibreSSL.patch b/0001-sign-file-full-functionality-with-modern-LibreSSL.patch new file mode 100644 index 0000000..7cd3dd7 --- /dev/null +++ b/0001-sign-file-full-functionality-with-modern-LibreSSL.patch @@ -0,0 +1,47 @@ +From 7fac9b5a88bf45574b92cc3ad74fac32f3bacbcc Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Thu, 19 Mar 2020 00:15:41 +0300 +Subject: [PATCH] sign-file: full functionality with modern LibreSSL + +Current pre-release version of LibreSSL has enabled CMS support, +and now sign-file is fully functional with it. + +See https://github.com/libressl-portable/openbsd/commits/master + +To test buildability with LibreSSL: +~$ git clone https://github.com/libressl-portable/portable.git +~$ cd portable && ./autogen.sh +~$ ./configure --prefix=/opt/libressl +~$ make +~# make install +Go to the kernel source tree and: +~$ gcc -I/opt/libressl/include -L /opt/libressl/lib -lcrypto -Wl,-rpath,/opt/libressl/lib scripts/sign-file.c -o scripts/sign-file + +Fixes: f8688017 ("sign-file: fix build error in sign-file.c with libressl") + +Signed-off-by: Mikhail Novosyolov +--- + scripts/sign-file.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/scripts/sign-file.c b/scripts/sign-file.c +index fbd34b8e8f57..fd4d7c31d1bf 100644 +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -41,9 +41,10 @@ + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +-#if defined(LIBRESSL_VERSION_NUMBER) || \ +- OPENSSL_VERSION_NUMBER < 0x10000000L || \ +- defined(OPENSSL_NO_CMS) ++#if defined(OPENSSL_NO_CMS) || \ ++ ( defined(LIBRESSL_VERSION_NUMBER) \ ++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ ++ OPENSSL_VERSION_NUMBER < 0x10000000L + #define USE_PKCS7 + #endif + #ifndef USE_PKCS7 +-- +2.20.1 + diff --git a/WIP-Sign-modules-with-GOST-by-LibreSSL.patch b/WIP-Sign-modules-with-GOST-by-LibreSSL.patch deleted file mode 100644 index ba5393e..0000000 --- a/WIP-Sign-modules-with-GOST-by-LibreSSL.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 686598dcff4fd9f91a77b95fb1cf852971283a49 Mon Sep 17 00:00:00 2001 -From: Mikhail Novosyolov -Date: Wed, 11 Dec 2019 21:17:15 +0300 -Subject: [PATCH 4/4] (WIP) Sign modules with GOST by LibreSSL - -[ work in progress ] ---- - certs/Makefile | 1 + - init/Kconfig | 10 ++++++++++ - scripts/sign-file.c | 4 +--- - 3 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/certs/Makefile b/certs/Makefile -index f4c25b67aad9..39fb3a53bfe3 100644 ---- a/certs/Makefile -+++ b/certs/Makefile -@@ -60,6 +60,7 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey - @$(kecho) "### needs to be run as root, and uses a hardware random" - @$(kecho) "### number generator if one is available." - @$(kecho) "###" -+# TODO: fix for LibreSSL/OpenSSL + GOST (Streebog) - $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ - -batch -x509 -config $(obj)/x509.genkey \ - -outform PEM -out $(obj)/signing_key.pem \ -diff --git a/init/Kconfig b/init/Kconfig -index b4daad2bac23..0a733a1399e1 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -2119,6 +2119,14 @@ config MODULE_SIG_SHA512 - bool "Sign modules with SHA-512" - select CRYPTO_SHA512 - -+config MODULE_SIG_STREEBOG256 -+ bool "Sign modules with STREEBOG-256" -+ select CRYPTO_STREEBOG -+ -+config MODULE_SIG_STREEBOG512 -+ bool "Sign modules with STREEBOG-512" -+ select CRYPTO_STREEBOG -+ - endchoice - - config MODULE_SIG_HASH -@@ -2129,6 +2137,8 @@ config MODULE_SIG_HASH - default "sha256" if MODULE_SIG_SHA256 - default "sha384" if MODULE_SIG_SHA384 - default "sha512" if MODULE_SIG_SHA512 -+ default "streebog256" if MODULE_SIG_STREEBOG256 -+ default "streebog512" if MODULE_SIG_STREEBOG512 - - config MODULE_COMPRESS - bool "Compress modules on installation" -diff --git a/scripts/sign-file.c b/scripts/sign-file.c -index fbd34b8e8f57..010c5f02ff5e 100644 ---- a/scripts/sign-file.c -+++ b/scripts/sign-file.c -@@ -41,9 +41,7 @@ - * signing with anything other than SHA1 - so we're stuck with that if such is - * the case. - */ --#if defined(LIBRESSL_VERSION_NUMBER) || \ -- OPENSSL_VERSION_NUMBER < 0x10000000L || \ -- defined(OPENSSL_NO_CMS) -+#if defined(OPENSSL_NO_CMS) || OPENSSL_VERSION_NUMBER < 0x10000000L - #define USE_PKCS7 - #endif - #ifndef USE_PKCS7 --- -2.20.1 - diff --git a/kernel.spec b/kernel.spec index 70590a4..2310eb5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -11,7 +11,7 @@ %define sublevel 25 # Release number. Increase this before a rebuild. -%define rpmrel 10 +%define rpmrel 11 %define fullrpmrel %{rpmrel} %define rpmtag %{disttag} @@ -225,7 +225,8 @@ Patch202: 0002-Documentation-for-AltHa-LSM.patch # Other patches Patch301: objtool-sync-check.sh-set-the-exit-code-explicitly.patch -Patch302: WIP-Sign-modules-with-GOST-by-LibreSSL.patch +# sent to upstream +Patch302: 0001-sign-file-full-functionality-with-modern-LibreSSL.patch # Disable AutoReq AutoReq: 0 @@ -893,8 +894,6 @@ echo CONFIG_MODULE_SIG_FORCE=n >> %{build_dir}/.config.append # If %%build_debig is true, signatures will be stripped # We sign modules manually in a tricky way bellow echo CONFIG_MODULE_SIG_ALL=n >> %{build_dir}/.config.append -# Use STREEBOG-512 algo (GOST R 34.11-12) -echo CONFIG_MODULE_SIG_STREEBOG512=y >> %{build_dir}/.config.append # Set path to the key that will be generated later by openssl/libressl echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_priv_rnd}\" >> %{build_dir}/.config.append # Set path to one PEM file with all keys that the kernel must trust