Bug#826959: linux-signed is not yet suitable for testing

[Luca Boccassi <luca.boccassi@gmail.com>]

On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote:
> Control: severity -1 important
> 
> On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk>
> wrote:
> > Package: src:linux-signed
> > Version: 1.1
> > Severity: serious
> >Â 
> > Several changes are needed before it's ready for release:
> >Â 
> > 1. Building signed udebs
> > 2. Removing the -signed suffix from signed image packages
> 
> These are now done as of version 2.2.
> 
> > 3. Signing with an HSM
> 
> This is not, and it really should be, but I think we can't treat this
> as a blocker for testing propagation.
> 
> Ben.

Hello Ben,

I've done some minor changes to add flags to use pesign which supports
hardware tokens via PKCS11. Inline patch for review.

Fortunately kbuild's sign-file already supports just passing a PKCS11
URI, which makes it so much simpler. On the other hand as you most
likely have found out already pesign needs an NSS DB and cert nicknames
and tokens, and all in all it's a really awkward API to use, but that's
what we have to work with I suppose.

What do you think?

Thanks!

Kind regards,
Luca Boccassi

From d41492d4b7ee9c76973a644eb66a4be14d30335d Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 23 Jan 2017 11:59:38 +0000
Subject: [PATCH] Add support for pesign

As an alternative signing method add options to use pesign instead of
sbsign. pesign supports, among other things pkcs11 which means
support for hardware tokens.
---
 debian/README.source |  9 ++++++++-
 debian/bin/sign.py   | 35 +++++++++++++++++++++++++++++------
 debian/rules         |  2 +-
 debian/rules.defs    |  6 ++++++
 4 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/debian/README.source b/debian/README.source
index 9a9b873..ed7c1b1 100644
--- a/debian/README.source
+++ b/debian/README.source
@@ -29,7 +29,7 @@ To generate the signatures:
    - KERNEL_IMAGE_VERSION: Version of the linux-image packages to be
      signed.
    - KERNEL_MODULES_PRIVKEY: Name of the private key file (RSA PEM
-     format) for module signing.
+     format) for module signing, or PKCS11 URI.
    - KERNEL_MODULES_CERT: Name of the certificate file (X.509 PEM
      format) for module signing.  This file must also be included in
      src:linux and listed in CONFIG_SYSTEM_TRUSTED_KEYS.
@@ -38,9 +38,16 @@ To generate the signatures:
    - KERNEL_IMAGE_CERT: Name of the certificate file (X.509 PEM
      format) for image signing.  This certificate must be trusted by
      the boot loader for Secure Boot to work.
+     When using pesign, this will be used as the certificate NSS
+     nickname.
    - MIRROR_SUITE: Suite from which to download the linux-image
      packages, if they are not already provided in
      debian/localpackages.
+   - SIGNER: default is sbsign, supports pesign too.
+   - NSS_DIR: if using pesign, points to the NSS database directory.
+   - NSS_TOKEN: if using pesign with an hardware token, represents the
+     token as it is known by NSS. Can be found out with:
+     modutil -dbdir sql:`${NSS_DIR}` -list
 2. If the packages are not yet publicly available (e.g. for a security
    update), create debian/localpackages/ and copy or link them into
    there.
diff --git a/debian/bin/sign.py b/debian/bin/sign.py
index 5ac3848..87c9310 100755
--- a/debian/bin/sign.py
+++ b/debian/bin/sign.py
@@ -170,8 +170,22 @@ def sign_image_efi(image_name, signature_name, privkey_name, cert_name):
     if not os.path.isfile(signature_name):
         raise Exception('sbsign failed')
 
+def sign_image_efi_pesign(image_name, signature_name, nss_dir, cert_name,
+                          nss_token=""):
+    print('I: Signing image %s' % image_name)
+    print('I: Storing detached signature as %s' % signature_name)
+    os.makedirs(os.path.dirname(signature_name), exist_ok=True)
+    subprocess.check_call(['pesign', '-s', '-n', nss_dir, '-c', cert_name,
+                           '--export-signature', signature_name,
+                           '-i', image_name] +
+                           ([] if len(nss_token) == 0 else ['-t', nss_token]))
+    # Work around bug #819987
+    if not os.path.isfile(signature_name):
+        raise Exception('pesign failed')
+
 def sign(config_name, imageversion_str, modules_privkey_name, modules_cert_name,
-         image_privkey_name, image_cert_name, mirror_url, suite):
+         image_privkey_name, image_cert_name, mirror_url, suite, signer='sbsign',
+         nss_dir=None, nss_token=""):
     config = ConfigCoreDump(fp=open(config_name, 'rb'))
 
     # Check current linux-support version
@@ -228,11 +242,20 @@ def sign(config_name, imageversion_str, modules_privkey_name, modules_cert_name,
                     kconfig = kconfig_file.readlines()
                 if ('CONFIG_EFI_STUB=y\n' in kconfig and
                     'CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y\n' in kconfig):
-                    sign_image_efi('%s/boot/vmlinuz-%s' %
-                                   (package_dir, kernelversion),
-                                   '%s/boot/vmlinuz-%s.sig' %
-                                   (signature_dir, kernelversion),
-                                   image_privkey_name, image_cert_name)
+                    if signer == 'sbsign':
+                        sign_image_efi('%s/boot/vmlinuz-%s' %
+                                       (package_dir, kernelversion),
+                                       '%s/boot/vmlinuz-%s.sig' %
+                                       (signature_dir, kernelversion),
+                                       image_privkey_name, image_cert_name)
+                    elif signer == 'pesign':
+                        sign_image_efi_pesign('%s/boot/vmlinuz-%s' %
+                                       (package_dir, kernelversion),
+                                       '%s/boot/vmlinuz-%s.sig' %
+                                       (signature_dir, kernelversion),
+                                       nss_dir, image_cert_name, nss_token)
+                    else:
+                        raise Exception('unknown signer')
 
     print('Signatures should be committed: git add debian/signatures && git commit')
 
diff --git a/debian/rules b/debian/rules
index f960b3e..dd4aa40 100755
--- a/debian/rules
+++ b/debian/rules
@@ -65,6 +65,6 @@ maintainerclean:
 	rm -rf debian/control debian/control.md5sum debian/linux-* debian/rules.gen debian/localpackages debian/*-modules-*-di* debian/kernel-image-*-di*
 
 sign:
-	$(SIGN) /usr/src/linux-support-$(KERNEL_ABINAME) "$(KERNEL_IMAGE_VERSION)" "$(KERNEL_MODULES_PRIVKEY)" "$(KERNEL_MODULES_CERT)" "$(KERNEL_IMAGE_PRIVKEY)" "$(KERNEL_IMAGE_CERT)" "$(MIRROR_URL)" "$(MIRROR_SUITE)"
+	$(SIGN) /usr/src/linux-support-$(KERNEL_ABINAME) "$(KERNEL_IMAGE_VERSION)" "$(KERNEL_MODULES_PRIVKEY)" "$(KERNEL_MODULES_CERT)" "$(KERNEL_IMAGE_PRIVKEY)" "$(KERNEL_IMAGE_CERT)" "$(MIRROR_URL)" "$(MIRROR_SUITE)" "$(SIGNER)" "$(NSS_DIR)" "$(NSS_TOKEN)"
 
 .PHONY: build build-arch build-indep clean binary binary-arch binary-indep binary-arch-all maintainerclean sign
diff --git a/debian/rules.defs b/debian/rules.defs
index 8842bfb..548a1c9 100644
--- a/debian/rules.defs
+++ b/debian/rules.defs
@@ -5,6 +5,12 @@ KERNEL_ABINAME := 4.9.0-1
 KERNEL_IMAGE_VERSION := 4.9.2-2
 # Note: any version suffix must sort *lower* than +deb
 SIGNED_VERSION_SUFFIX :=
+# sbsign (default) or pesign
+SIGNER := pesign
+# when using pesign, points to the NSS DB that holds the certs
+NSS_DIR :=
+# to be used with pesign to make use of a hardware token
+NSS_TOKEN :=
 
 MIRROR_URL = http://deb.debian.org/debian/
 MIRROR_SUITE = unstable
-- 
2.1.4

Attachment: signature.asc
Description: This is a digitally signed message part