bc1c373dd2
Provide a utility that:
(1) Digests a module using the specified hash algorithm (typically sha256).
[The digest can be dumped into a file by passing the '-d' flag]
(2) Generates a PKCS#7 message that:
(a) Has detached data (ie. the module content).
(b) Is signed with the specified private key.
(c) Refers to the specified X.509 certificate.
(d) Has an empty X.509 certificate list.
[The PKCS#7 message can be dumped into a file by passing the '-p' flag]
(3) Generates a signed module by concatenating the old module, the PKCS#7
message, a descriptor and a magic string. The descriptor contains the
size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7.
(4) Either writes the signed module to the specified destination or renames
it over the source module.
This allows module signing to reuse the PKCS#7 handling code that was added
for PE file parsing for signed kexec.
Note that the utility is written in C and must be linked against the OpenSSL
crypto library.
Note further that I have temporarily dropped support for handling externally
created signatures until we can work out the best way to do those. Hopefully,
whoever creates the signature can give me a PKCS#7 certificate.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>
|
||
|---|---|---|
| .. | ||
| internal | ||
| ablk_helper.h | ||
| aead.h | ||
| aes.h | ||
| akcipher.h | ||
| algapi.h | ||
| authenc.h | ||
| b128ops.h | ||
| blowfish.h | ||
| cast5.h | ||
| cast6.h | ||
| cast_common.h | ||
| compress.h | ||
| cryptd.h | ||
| crypto_wq.h | ||
| ctr.h | ||
| des.h | ||
| drbg.h | ||
| gf128mul.h | ||
| hash.h | ||
| hash_info.h | ||
| if_alg.h | ||
| lrw.h | ||
| mcryptd.h | ||
| md5.h | ||
| null.h | ||
| padlock.h | ||
| pcrypt.h | ||
| pkcs7.h | ||
| public_key.h | ||
| rng.h | ||
| scatterwalk.h | ||
| serpent.h | ||
| sha.h | ||
| sha1_base.h | ||
| sha256_base.h | ||
| sha512_base.h | ||
| skcipher.h | ||
| twofish.h | ||
| vmac.h | ||
| xts.h | ||