mirror of
https://abf.rosa.ru/djam/kernel-5.15.git
synced 2025-02-23 10:32:54 +00:00
Always generate a random GOST key for the kernel keyring (later add preinstalled trusted GOST keys)
This commit is contained in:
Mikhail Novosyolov
parent
3148180250
commit
784b256f80
1 changed files with 54 additions and 29 deletions
69
kernel.spec
69
kernel.spec
|
|
@ -11,7 +11,7 @@
|
|||
%define sublevel 25
|
||||
|
||||
# Release number. Increase this before a rebuild.
|
||||
%define rpmrel 9
|
||||
%define rpmrel 10
|
||||
%define fullrpmrel %{rpmrel}
|
||||
|
||||
%define rpmtag %{disttag}
|
||||
|
|
@ -53,7 +53,7 @@
|
|||
%endif
|
||||
# User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
|
||||
%bcond_without uml
|
||||
%bcond_with gost_keys
|
||||
%bcond_with gost_sign
|
||||
|
||||
# "Nickel" is a special brand for certified distros
|
||||
%if %{mdvver} == 201900 || %{mdvver} == 201905
|
||||
|
|
@ -928,6 +928,9 @@ sed -i '/CONFIG_CRYPTO_STREEBOG/d' .config
|
|||
echo 'CONFIG_CRYPTO_STREEBOG=y' >> %{build_dir}/.config.append
|
||||
sed -i '/CONFIG_CRYPTO_ECRDSA/d' .config
|
||||
echo 'CONFIG_CRYPTO_ECRDSA=y' >> %{build_dir}/.config.append
|
||||
# RSA is =m after make ARCH=um defconfig
|
||||
sed -i '/CONFIG_CRYPTO_RSA/d' .config
|
||||
echo 'CONFIG_CRYPTO_RSA=y' >> %{build_dir}/.config.append
|
||||
|
||||
sed -i '/CONFIG_LSM/d' .config
|
||||
echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,altha"' >> %{build_dir}/.config.append
|
||||
|
|
@ -1030,12 +1033,12 @@ cat <<EOF > "%{certs_key_config_rnd}"
|
|||
[ req ]
|
||||
prompt = no
|
||||
string_mask = utf8only
|
||||
default_keyfile = %{certs_signing_key_priv_rnd}
|
||||
#default_keyfile = %{certs_signing_key_priv_rnd}
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = myexts
|
||||
[ req_distinguished_name ]
|
||||
organizationName = %{vendor} rpmbuild
|
||||
commonName = Build time autogenerated kernel key
|
||||
commonName = Build time autogenerated @ALGO@ kernel key
|
||||
emailAddress = ${email}
|
||||
[ myexts ]
|
||||
basicConstraints=critical,CA:FALSE
|
||||
|
|
@ -1044,33 +1047,54 @@ subjectKeyIdentifier=hash
|
|||
authorityKeyIdentifier=keyid
|
||||
EOF
|
||||
cat "%{certs_key_config_rnd}"
|
||||
sed -e 's,@ALGO@,RSA,g' "%{certs_key_config_rnd}" > "%{certs_key_config_rnd}.RSA"
|
||||
sed -e 's,@ALGO@,GOST R 34.10-2012,g' "%{certs_key_config_rnd}" > "%{certs_key_config_rnd}.GOST"
|
||||
# avoid using the template
|
||||
rm -f "%{certs_key_config_rnd}"
|
||||
|
||||
libressl req -new -nodes -utf8 -batch \
|
||||
%if %{with gost_keys}
|
||||
_libressl_gen_key(){
|
||||
if [ "$GOST_KEY" = 1 ]
|
||||
then
|
||||
lssl_req_gost_args="\
|
||||
-newkey gost2001 \
|
||||
-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
|
||||
-streebog512 \
|
||||
%endif
|
||||
-streebog512"
|
||||
OUT="%{certs_signing_key_priv_rnd}.GOST"
|
||||
CONFIG="%{certs_key_config_rnd}.GOST"
|
||||
else
|
||||
lssl_req_gost_args=""
|
||||
OUT="%{certs_signing_key_priv_rnd}.RSA"
|
||||
CONFIG="%{certs_key_config_rnd}.RSA"
|
||||
fi
|
||||
libressl req -new -nodes -utf8 -batch \
|
||||
$lssl_req_gost_args \
|
||||
-days 109500 \
|
||||
-x509 -config "%{certs_key_config_rnd}" \
|
||||
-outform PEM \
|
||||
-out "%{certs_signing_key_priv_rnd}" \
|
||||
-keyout "%{certs_signing_key_priv_rnd}"
|
||||
-x509 -config "$CONFIG" \
|
||||
-out "$OUT" \
|
||||
-keyout "$OUT"
|
||||
|
||||
# Verify
|
||||
%if %{with gost_keys}
|
||||
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
||||
if [ "$GOST_KEY" = 1 ]; then
|
||||
libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
|
||||
| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
|
||||
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
||||
libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
|
||||
| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
|
||||
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
||||
libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
|
||||
| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
|
||||
%endif
|
||||
fi
|
||||
}
|
||||
|
||||
# Strip public part from the generated PEM
|
||||
GOST_KEY=0 _libressl_gen_key
|
||||
GOST_KEY=1 _libressl_gen_key
|
||||
# Fake CONFIG_MODULE_SIG_KEY to make build scripts happy
|
||||
cp -v "%{certs_signing_key_priv_rnd}.RSA" "%{certs_signing_key_priv_rnd}"
|
||||
|
||||
# Strip public parts from the generated PEMs
|
||||
sed -n \
|
||||
'/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' \
|
||||
"%{certs_signing_key_priv_rnd}" > "%{certs_public_keys}"
|
||||
'/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' \
|
||||
"%{certs_signing_key_priv_rnd}.GOST" \
|
||||
"%{certs_signing_key_priv_rnd}.RSA" \
|
||||
> "%{certs_public_keys}"
|
||||
|
||||
# link sign-file and extract-cert with LibreSSL instead of OpenSSL
|
||||
libressl_cflags="$(pkg-config --cflags --libs libressl-libcrypto)"
|
||||
|
|
@ -1081,8 +1105,9 @@ sed -i %{src_dir}/scripts/Makefile \
|
|||
%endif
|
||||
-e "s,-lcrypto,${libressl_cflags},g"
|
||||
|
||||
%if %{with additional_keys} && !%{with gost_keys}
|
||||
%if %{with additional_keys}
|
||||
# Add additional public RSA keys to the list of trusted keys for kernel modules
|
||||
# TODO: add GOST keys
|
||||
# Build kernel --without additional_keys if you do not want to trust them
|
||||
cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
|
||||
>> "%{certs_public_keys}"
|
||||
|
|
@ -1273,7 +1298,7 @@ _libressl_sign(){
|
|||
return 0
|
||||
fi
|
||||
f="$1"
|
||||
%if %{with gost_keys}
|
||||
%if %{with gost_sign}
|
||||
# This is an incorrect signature, GOST support is needed in CMS (?!)
|
||||
libressl dgst -streebog512 \
|
||||
-sign "%{certs_signing_key_priv_rnd}" "$f" \
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue