mirror of
https://abf.rosa.ru/djam/kernel-5.15.git
synced 2025-02-23 18:42:55 +00:00
70 lines
2.2 KiB
Diff
70 lines
2.2 KiB
Diff
From 686598dcff4fd9f91a77b95fb1cf852971283a49 Mon Sep 17 00:00:00 2001
|
|
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
|
|
Date: Wed, 11 Dec 2019 21:17:15 +0300
|
|
Subject: [PATCH 4/4] (WIP) Sign modules with GOST by LibreSSL
|
|
|
|
[ work in progress ]
|
|
---
|
|
certs/Makefile | 1 +
|
|
init/Kconfig | 10 ++++++++++
|
|
scripts/sign-file.c | 4 +---
|
|
3 files changed, 12 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/certs/Makefile b/certs/Makefile
|
|
index f4c25b67aad9..39fb3a53bfe3 100644
|
|
--- a/certs/Makefile
|
|
+++ b/certs/Makefile
|
|
@@ -60,6 +60,7 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
|
|
@$(kecho) "### needs to be run as root, and uses a hardware random"
|
|
@$(kecho) "### number generator if one is available."
|
|
@$(kecho) "###"
|
|
+# TODO: fix for LibreSSL/OpenSSL + GOST (Streebog)
|
|
$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
|
|
-batch -x509 -config $(obj)/x509.genkey \
|
|
-outform PEM -out $(obj)/signing_key.pem \
|
|
diff --git a/init/Kconfig b/init/Kconfig
|
|
index b4daad2bac23..0a733a1399e1 100644
|
|
--- a/init/Kconfig
|
|
+++ b/init/Kconfig
|
|
@@ -2119,6 +2119,14 @@ config MODULE_SIG_SHA512
|
|
bool "Sign modules with SHA-512"
|
|
select CRYPTO_SHA512
|
|
|
|
+config MODULE_SIG_STREEBOG256
|
|
+ bool "Sign modules with STREEBOG-256"
|
|
+ select CRYPTO_STREEBOG
|
|
+
|
|
+config MODULE_SIG_STREEBOG512
|
|
+ bool "Sign modules with STREEBOG-512"
|
|
+ select CRYPTO_STREEBOG
|
|
+
|
|
endchoice
|
|
|
|
config MODULE_SIG_HASH
|
|
@@ -2129,6 +2137,8 @@ config MODULE_SIG_HASH
|
|
default "sha256" if MODULE_SIG_SHA256
|
|
default "sha384" if MODULE_SIG_SHA384
|
|
default "sha512" if MODULE_SIG_SHA512
|
|
+ default "streebog256" if MODULE_SIG_STREEBOG256
|
|
+ default "streebog512" if MODULE_SIG_STREEBOG512
|
|
|
|
config MODULE_COMPRESS
|
|
bool "Compress modules on installation"
|
|
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
|
|
index fbd34b8e8f57..010c5f02ff5e 100644
|
|
--- a/scripts/sign-file.c
|
|
+++ b/scripts/sign-file.c
|
|
@@ -41,9 +41,7 @@
|
|
* signing with anything other than SHA1 - so we're stuck with that if such is
|
|
* the case.
|
|
*/
|
|
-#if defined(LIBRESSL_VERSION_NUMBER) || \
|
|
- OPENSSL_VERSION_NUMBER < 0x10000000L || \
|
|
- defined(OPENSSL_NO_CMS)
|
|
+#if defined(OPENSSL_NO_CMS) || OPENSSL_VERSION_NUMBER < 0x10000000L
|
|
#define USE_PKCS7
|
|
#endif
|
|
#ifndef USE_PKCS7
|
|
--
|
|
2.20.1
|
|
|