Replace patch for sign-file.c with the one sent to upstream. CONFIG_MODULE_SIG_STREEBOG* does not make sense now as there is no tool to properly sign with a GOST algo

2025-02-23 18:42:55 +00:00 · 2020-03-19 00:41:40 +03:00 · 2020-03-19 00:41:40 +03:00 · 4e695cf30c
commit 4e695cf30c
parent 784b256f80
3 changed files with 50 additions and 74 deletions
--- a/0001-sign-file-full-functionality-with-modern-LibreSSL.patch
+++ b/0001-sign-file-full-functionality-with-modern-LibreSSL.patch
@ -0,0 +1,47 @@
 From 7fac9b5a88bf45574b92cc3ad74fac32f3bacbcc Mon Sep 17 00:00:00 2001
 From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 Date: Thu, 19 Mar 2020 00:15:41 +0300
 Subject: [PATCH] sign-file: full functionality with modern LibreSSL
 Current pre-release version of LibreSSL has enabled CMS support,
 and now sign-file is fully functional with it.
 See https://github.com/libressl-portable/openbsd/commits/master
 To test buildability with LibreSSL:
 ~$ git clone https://github.com/libressl-portable/portable.git
 ~$ cd portable && ./autogen.sh
 ~$ ./configure --prefix=/opt/libressl
 ~$ make
 ~# make install
 Go to the kernel source tree and:
 ~$ gcc -I/opt/libressl/include -L /opt/libressl/lib -lcrypto -Wl,-rpath,/opt/libressl/lib scripts/sign-file.c -o scripts/sign-file
 Fixes: f8688017 ("sign-file: fix build error in sign-file.c with libressl")
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 scripts/sign-file.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/scripts/sign-file.c b/scripts/sign-file.c
 index fbd34b8e8f57..fd4d7c31d1bf 100644
 --- a/scripts/sign-file.c
 +++ b/scripts/sign-file.c
@@ -41,9 +41,10 @@
  * signing with anything other than SHA1 - so we're stuck with that if such is
  * the case.
  */
 -#if defined(LIBRESSL_VERSION_NUMBER) || \
 -	OPENSSL_VERSION_NUMBER < 0x10000000L || \
 -	defined(OPENSSL_NO_CMS)
 +#if defined(OPENSSL_NO_CMS) || \
 +	( defined(LIBRESSL_VERSION_NUMBER) \
 +	&& (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \
 +	OPENSSL_VERSION_NUMBER < 0x10000000L
 #define USE_PKCS7
 #endif
 #ifndef USE_PKCS7
 -- 
 2.20.1
--- a/WIP-Sign-modules-with-GOST-by-LibreSSL.patch
+++ b/WIP-Sign-modules-with-GOST-by-LibreSSL.patch
@ -1,70 +0,0 @@
 From 686598dcff4fd9f91a77b95fb1cf852971283a49 Mon Sep 17 00:00:00 2001
 From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 Date: Wed, 11 Dec 2019 21:17:15 +0300
 Subject: [PATCH 4/4] (WIP) Sign modules with GOST by LibreSSL
 [ work in progress ]
 ---
 certs/Makefile      |  1 +
 init/Kconfig        | 10 ++++++++++
 scripts/sign-file.c |  4 +---
 3 files changed, 12 insertions(+), 3 deletions(-)
 diff --git a/certs/Makefile b/certs/Makefile
 index f4c25b67aad9..39fb3a53bfe3 100644
 --- a/certs/Makefile
 +++ b/certs/Makefile
@@ -60,6 +60,7 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "### needs to be run as root, and uses a hardware random"
 	@$(kecho) "### number generator if one is available."
 	@$(kecho) "###"
 +# TODO: fix for LibreSSL/OpenSSL + GOST (Streebog)
 	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
 		-batch -x509 -config $(obj)/x509.genkey \
 		-outform PEM -out $(obj)/signing_key.pem \
 diff --git a/init/Kconfig b/init/Kconfig
 index b4daad2bac23..0a733a1399e1 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
@@ -2119,6 +2119,14 @@ config MODULE_SIG_SHA512
 	bool "Sign modules with SHA-512"
 	select CRYPTO_SHA512
 +config MODULE_SIG_STREEBOG256
 +	bool "Sign modules with STREEBOG-256"
 +	select CRYPTO_STREEBOG
 +
 +config MODULE_SIG_STREEBOG512
 +	bool "Sign modules with STREEBOG-512"
 +	select CRYPTO_STREEBOG
 +
 endchoice
 config MODULE_SIG_HASH
@@ -2129,6 +2137,8 @@ config MODULE_SIG_HASH
 	default "sha256" if MODULE_SIG_SHA256
 	default "sha384" if MODULE_SIG_SHA384
 	default "sha512" if MODULE_SIG_SHA512
 +	default "streebog256" if MODULE_SIG_STREEBOG256
 +	default "streebog512" if MODULE_SIG_STREEBOG512
 config MODULE_COMPRESS
 	bool "Compress modules on installation"
 diff --git a/scripts/sign-file.c b/scripts/sign-file.c
 index fbd34b8e8f57..010c5f02ff5e 100644
 --- a/scripts/sign-file.c
 +++ b/scripts/sign-file.c
@@ -41,9 +41,7 @@
  * signing with anything other than SHA1 - so we're stuck with that if such is
  * the case.
  */
 -#if defined(LIBRESSL_VERSION_NUMBER) || \
 -	OPENSSL_VERSION_NUMBER < 0x10000000L || \
 -	defined(OPENSSL_NO_CMS)
 +#if defined(OPENSSL_NO_CMS) || OPENSSL_VERSION_NUMBER < 0x10000000L
 #define USE_PKCS7
 #endif
 #ifndef USE_PKCS7
 -- 
 2.20.1
--- a/kernel.spec
+++ b/kernel.spec
@ -11,7 +11,7 @@
 %define sublevel	25
 # Release number. Increase this before a rebuild.
-%define rpmrel		10
+%define rpmrel		11
 %define fullrpmrel	%{rpmrel}
 %define rpmtag		%{disttag}
@ -225,7 +225,8 @@ Patch202:	0002-Documentation-for-AltHa-LSM.patch
 # Other patches
 Patch301:	objtool-sync-check.sh-set-the-exit-code-explicitly.patch
-Patch302:	WIP-Sign-modules-with-GOST-by-LibreSSL.patch
+# sent to upstream
 Patch302:	0001-sign-file-full-functionality-with-modern-LibreSSL.patch
 # Disable AutoReq
 AutoReq: 	0
@ -893,8 +894,6 @@ echo CONFIG_MODULE_SIG_FORCE=n >> %{build_dir}/.config.append
 # If %%build_debig is true, signatures will be stripped
 # We sign modules manually in a tricky way bellow
 echo CONFIG_MODULE_SIG_ALL=n >> %{build_dir}/.config.append
 # Use STREEBOG-512 algo (GOST R 34.11-12)
 echo CONFIG_MODULE_SIG_STREEBOG512=y >> %{build_dir}/.config.append
 # Set path to the key that will be generated later by openssl/libressl
 echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_priv_rnd}\" >> %{build_dir}/.config.append
 # Set path to one PEM file with all keys that the kernel must trust