pool/pesign-obs-integration
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 947877 from home:michals

Browse Source 
- Support signing grub on powerpc (jsc#SLE-18271 bsc#1192764).
   + 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
   + 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
   + 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
   + 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch

Add SLE bug references:
  * Add support for GZIP and ZSTD module compression (bsc#1188636)
  * Compress kernel modules in batch and in parallel (bsc#1188636)
  support kernel module compression (bsc#1135854, jsc#SLE-16661)

OBS-URL: https://build.opensuse.org/request/show/947877
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=110
This commit is contained in:
Joey Lee 2022-01-22 10:58:17 +00:00 committed by Git OBS Bridge
parent 37a3159863
commit b63590e396
6 changed files with 529 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch Normal file
View File

@ -0,0 +1,86 @@
From 13efe2232909a600531142959b2e4380af46676f Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 23 Nov 2021 16:40:27 +0100
Subject: [PATCH 1/4] Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
brp-99-pesign | 14 ++++++++++++++
pesign-repackage.spec.in | 22 +++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/brp-99-pesign b/brp-99-pesign
index 0e415d6..c6e9d54 100644
--- a/brp-99-pesign
+++ b/brp-99-pesign
@@ -58,6 +58,19 @@ if ! mkdir -p "$output"; then
exit 0
fi
+case "$BRP_PESIGN_GRUB_RESERVATION" in
+ '')
+ pesign_grub_reservation="0"
+ ;;
+ *[!0-9]*)
+ echo "$0: warning: non-numerc value '$BRP_PESIGN_GRUB_RESERVATION' of BRP_PESIGN_GRUB_RESERVATION" >&2
+ pesign_grub_reservation="0"
+ ;;
+ *)
+ pesign_grub_reservation="${BRP_PESIGN_GRUB_RESERVATION}"
+ ;;
+esac
+
if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then
pesign_repackage_compress="--compress xz"
elif test "${BRP_PESIGN_COMPRESS_MODULE}" = "gzip"; then
@@ -77,6 +90,7 @@ else
fi
sed "
s:@NAME@:$RPM_PACKAGE_NAME:g
+ s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g
s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
/@CERT@/ {
r $cert
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index eebc609..f473fa1 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -126,7 +126,7 @@ sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
for sig in "${sigs[@]}"; do
f=%buildroot/${sig%.sig}
case "/$sig" in
- *.ko.sig)
+ *.ko.sig|*.mod.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
;;
/boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig | */lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig)
@@ -157,6 +157,26 @@ for sig in "${sigs[@]}"; do
*stage3.bin.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
;;
+ *grub.elf.sig)
+ sig_size="$(wc -c < "$sig")"
+ unsigned_grub_size="$(wc -c < "$f")"
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest
+ signed_grub_size="$(wc -c < "$f".appendtest)"
+ rm "$f".appendtest
+ footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")"
+ if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then
+ echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
+ exit 1
+ fi
+ sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
+ truncate -s $sig_size "$sig"
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ grub_size="$(wc -c < "$f")"
+ if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
+ echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)"
+ exit 1
+ fi
+ ;;
*)
echo "Warning: unhandled signature: $sig" >&2
esac
--
2.34.1

260
0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch Normal file
View File

@ -0,0 +1,260 @@
From 85f8f72c2f055ca2fa48ec1e7ad7911e8e3744ad Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 4 Jan 2022 12:49:54 +0100
Subject: [PATCH 2/4] kernel-sign-file: Move x509 parsing into a function.
This should not introduce any functionality change but next patch will
make the parsing optional.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
kernel-sign-file | 201 +++++++++++++++++++++++++----------------------
1 file changed, 106 insertions(+), 95 deletions(-)
diff --git a/kernel-sign-file b/kernel-sign-file
index ce76a40..2e5b7aa 100755
--- a/kernel-sign-file
+++ b/kernel-sign-file
@@ -226,113 +226,119 @@ sub asn1_pack($@)
# Roughly parse the X.509 certificate
#
###############################################################################
-my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
-
-my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
-my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
-my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
-my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER);
-my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
-my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
-my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
-
-my $subject_key_id = ();
-my $authority_key_id = ();
-
-#
-# Parse the extension list
-#
-if ($extension_list->[0] != -1) {
- my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
-
- while ($extensions->[1]->[1] > 0) {
- my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
- my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
- my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
- my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
+sub parse_certificate($)
+{
+ my ($x509_certificate) = @_;
+ my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
+ my %result;
+
+ my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
+ my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
+ my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
+ $result{serial_number} = asn1_extract($tbs->[1], $UNIV | $INTEGER);
+ my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ $result{issuer} = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
+ my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
+ my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
+
+ $result{subject_key_id} = ();
+ my $authority_key_id = ();
+
+ #
+ # Parse the extension list
+ #
+ if ($extension_list->[0] != -1) {
+ my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
+
+ while ($extensions->[1]->[1] > 0) {
+ my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
+ my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
+ my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
+ my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
+
+ my $raw_oid = asn1_retrieve($x_oid->[1]);
+ next if (!exists($OIDs{$raw_oid}));
+ my $x_type = $OIDs{$raw_oid};
+
+ my $raw_value = asn1_retrieve($x_val->[1]);
+
+ if ($x_type eq "subjectKeyIdentifier") {
+ my $vcursor = [ 0, length($raw_value), \$raw_value ];
+
+ $result{subject_key_id} = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
+ }
+ }
+ }
- my $raw_oid = asn1_retrieve($x_oid->[1]);
+ ###############################################################################
+ #
+ # Determine what we're going to use as the signer's name. In order of
+ # preference, take one of: commonName, organizationName or emailAddress.
+ #
+ ###############################################################################
+ my $org = "";
+ my $cn = "";
+ my $email = "";
+
+ while ($subject->[1]->[1] > 0) {
+ my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
+ my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
+ my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
+ my $n_val = asn1_extract($attr->[1], -1);
+
+ my $raw_oid = asn1_retrieve($n_oid->[1]);
next if (!exists($OIDs{$raw_oid}));
- my $x_type = $OIDs{$raw_oid};
-
- my $raw_value = asn1_retrieve($x_val->[1]);
+ my $n_type = $OIDs{$raw_oid};
- if ($x_type eq "subjectKeyIdentifier") {
- my $vcursor = [ 0, length($raw_value), \$raw_value ];
+ my $raw_value = asn1_retrieve($n_val->[1]);
- $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
+ if ($n_type eq "organizationName") {
+ $org = $raw_value;
+ } elsif ($n_type eq "commonName") {
+ $cn = $raw_value;
+ } elsif ($n_type eq "emailAddress") {
+ $email = $raw_value;
}
}
-}
-###############################################################################
-#
-# Determine what we're going to use as the signer's name. In order of
-# preference, take one of: commonName, organizationName or emailAddress.
-#
-###############################################################################
-my $org = "";
-my $cn = "";
-my $email = "";
-
-while ($subject->[1]->[1] > 0) {
- my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
- my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
- my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
- my $n_val = asn1_extract($attr->[1], -1);
-
- my $raw_oid = asn1_retrieve($n_oid->[1]);
- next if (!exists($OIDs{$raw_oid}));
- my $n_type = $OIDs{$raw_oid};
-
- my $raw_value = asn1_retrieve($n_val->[1]);
-
- if ($n_type eq "organizationName") {
- $org = $raw_value;
- } elsif ($n_type eq "commonName") {
- $cn = $raw_value;
- } elsif ($n_type eq "emailAddress") {
- $email = $raw_value;
- }
-}
+ $result{signers_name} = $email;
-my $signers_name = $email;
+ if ($org && $cn) {
+ # Don't use the organizationName if the commonName repeats it
+ if (length($org) <= length($cn) &&
+ substr($cn, 0, length($org)) eq $org) {
+ $result{signers_name} = $cn;
+ goto got_id_name;
+ }
-if ($org && $cn) {
- # Don't use the organizationName if the commonName repeats it
- if (length($org) <= length($cn) &&
- substr($cn, 0, length($org)) eq $org) {
- $signers_name = $cn;
- goto got_id_name;
- }
+ # Or a signifcant chunk of it
+ if (length($org) >= 7 &&
+ length($cn) >= 7 &&
+ substr($cn, 0, 7) eq substr($org, 0, 7)) {
+ $result{signers_name} = $cn;
+ goto got_id_name;
+ }
- # Or a signifcant chunk of it
- if (length($org) >= 7 &&
- length($cn) >= 7 &&
- substr($cn, 0, 7) eq substr($org, 0, 7)) {
- $signers_name = $cn;
- goto got_id_name;
+ $result{signers_name} = $org . ": " . $cn;
+ } elsif ($org) {
+ $result{signers_name} = $org;
+ } elsif ($cn) {
+ $result{signers_name} = $cn;
}
- $signers_name = $org . ": " . $cn;
-} elsif ($org) {
- $signers_name = $org;
-} elsif ($cn) {
- $signers_name = $cn;
-}
+ got_id_name:
-got_id_name:
+ die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
+ if (!$result{subject_key_id});
-die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
- if (!$subject_key_id);
-
-my $key_identifier = asn1_retrieve($subject_key_id->[1]);
+ $result{key_identifier} = asn1_retrieve($result{subject_key_id}->[1]);
+ return %result;
+}
###############################################################################
#
# Create and attach the module signature
@@ -430,8 +436,13 @@ if ($signature_file) {
"openssl rsautl -sign -inkey $private_key -keyform PEM");
}
+my %certdata = parse_certificate($x509_certificate);
+my $signers_name;
+my $key_identifier;
if ($id_type == 1) {
$signature = pack("n", length($signature)) . $signature,
+ $signers_name = $certdata{signers_name};
+ $key_identifier = $certdata{key_identifier};
} elsif ($id_type == 2) {
# create PKCS7 signature
$signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
@@ -439,10 +450,10 @@ if ($id_type == 1) {
my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
- my $si_issuer = asn1_pack($issuer->[0], asn1_retrieve($issuer->[1]));
- my $si_serial = asn1_pack($serial_number->[0], asn1_retrieve($serial_number->[1]));
+ my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
+ my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
- my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($subject_key_id->[1]));
+ my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
--
2.34.1

116
0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch Normal file
View File

@ -0,0 +1,116 @@
From 68baaf0ca940712d4cfbe5d7c55bc8407efc19ce Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 4 Jan 2022 12:29:21 +0100
Subject: [PATCH 3/4] kernel-sign-file: Support appending verbatim PKCS#7
signature.
When existing signature is specified upstream appends it verbatim as
PKCS#7 but kernel-ding-file assumes it's raw RSA signature and wraps
PKCS#7 around it beforee appending.
Because the certificate is not required for just dumping the whole
signature after the data but is required to create the PKCS#7 wrapper we
can support both. When a certificate is specified create a wrapper, when
not just copy the signature without touching it.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
kernel-sign-file | 60 +++++++++++++++++++++++++++++-------------------
1 file changed, 37 insertions(+), 23 deletions(-)
diff --git a/kernel-sign-file b/kernel-sign-file
index 2e5b7aa..9cacefb 100755
--- a/kernel-sign-file
+++ b/kernel-sign-file
@@ -42,7 +42,6 @@ if (@ARGV) {
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
-die "Can't read X.509 certificate\n" unless (-r $x509);
die "Can't read module\n" unless (-r $module);
#
@@ -99,7 +98,6 @@ sub openssl_pipe($$) {
# we're intending to use to sign the module.
#
###############################################################################
-my $x509_certificate = read_file($x509);
my $UNIV = 0 << 6;
my $APPL = 1 << 6;
@@ -436,35 +434,51 @@ if ($signature_file) {
"openssl rsautl -sign -inkey $private_key -keyform PEM");
}
-my %certdata = parse_certificate($x509_certificate);
+my %certdata;
my $signers_name;
my $key_identifier;
+my $x509_certificate;
if ($id_type == 1) {
+ die "Can't read X.509 certificate\n" unless (-r $x509);
+ $x509_certificate = read_file($x509);
+ %certdata = parse_certificate($x509_certificate);
$signature = pack("n", length($signature)) . $signature,
$signers_name = $certdata{signers_name};
$key_identifier = $certdata{key_identifier};
} elsif ($id_type == 2) {
# create PKCS7 signature
- $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
- my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1)));
- my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
- my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
- my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
- my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
- my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
- my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
- my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
- my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
- my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
- my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
- my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
- my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
- my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
- my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1));
- my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
- my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set);
- my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2));
- $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid));
+ if ($x509) {
+ die "Can't read X.509 certificate\n" unless (-r $x509);
+ $x509_certificate = read_file($x509);
+ } else {
+ print "No certificate specified, assuming pre-built PKCS#7 signature.\n" if ($verbose);
+ $x509_certificate = '';
+ }
+ if ($x509_certificate) {
+ %certdata = parse_certificate($x509_certificate);
+ $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
+ my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1)));
+ my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
+ my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
+ my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
+ my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
+ my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
+ my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
+ my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
+ my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
+ my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
+ my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
+ my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
+ my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
+ my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
+ my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1));
+ my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
+ my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set);
+ my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2));
+ $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid));
+ } else {
+ print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if ($verbose);
+ }
# zero out unneeded entries
$signers_name = '';
$key_identifier = '';
--
2.34.1

50
0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch Normal file
View File

@ -0,0 +1,50 @@
From 5b255595f4101b136db55538a59ef5b1fc3439e5 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 4 Jan 2022 12:20:36 +0100
Subject: [PATCH 4/4] Add padding to grub signature correctly (jsc#SLE-18271
bsc#1192764).
Upstream sign-file supports including whole PKCS#7 signature verbatim
while kernel-sign-file supports building PKCS#7 around raw RSA signature
as provided by OBS. Now kernel-sign-file also supports what upstream
does so make use of it. First wrap PKCS#7 around the RSA signature, then
pad, then append.
Fixes: 13efe22 ("Support ppc grub signing (jsc#SLE-18271 bsc#1192764).")
---
pesign-repackage.spec.in | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index f473fa1..8c07fc4 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -160,17 +160,18 @@ for sig in "${sigs[@]}"; do
*grub.elf.sig)
sig_size="$(wc -c < "$sig")"
unsigned_grub_size="$(wc -c < "$f")"
- /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest
- signed_grub_size="$(wc -c < "$f".appendtest)"
- rm "$f".appendtest
- footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")"
+ /usr/lib/rpm/pesign/kernel-sign-file -vpd -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ sig_size="$(wc -c < "$f.p7s")"
+ footer_size=40
+ grub_size="$(wc -c < "$f")"
if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then
- echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
+ echo "size of '$f.p7s' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
exit 1
fi
sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
- truncate -s $sig_size "$sig"
- /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ truncate -s $sig_size "$f.p7s"
+ /usr/lib/rpm/pesign/kernel-sign-file -v -i pkcs7 -s "$f.p7s" sha256 "" "$f"
+ rm "$f.p7s"
grub_size="$(wc -c < "$f")"
if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)"
--
2.34.1

15
pesign-obs-integration.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Fri Jan 21 08:49:34 UTC 2022 - Michal Suchanek <msuchanek@suse.com>
- Support signing grub on powerpc (jsc#SLE-18271 bsc#1192764).
+ 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
+ 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
+ 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
+ 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
-------------------------------------------------------------------
Wed Aug 04 12:35:19 UTC 2021 - lnussel@suse.de
@ -16,7 +25,7 @@ Fri Jul 30 11:56:23 UTC 2021 - lnussel@suse.de
Fri Jul 23 09:11:28 UTC 2021 - dmueller@suse.com
- Update to version git master (10.2):
* Add support for GZIP and ZSTD module compression
* Add support for GZIP and ZSTD module compression (bsc#1188636)
* Always pad the EFI image when calculating the hash
* Version bump to 10.2
* approach issue#22 false noarch subpackage
@ -51,7 +60,7 @@ Mon Dec 21 03:50:35 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
Wed Oct 21 12:44:19 UTC 2020 - dmueller@suse.com
- Update to version 10.1+1602850462:
* Compress kernel modules in batch and in parallel
* Compress kernel modules in batch and in parallel (bsc#1188636)
* Forward _binary_payload to the repackaged rpm (bsc#1175882)
- remove 0001-Forward-_binary_payload-to-the-repackaged-rpm.patch,
parallel-compression.patch (upstream)
@ -124,7 +133,7 @@ Thu Aug 1 02:41:28 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
Wed May 29 06:01:20 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Add 0001-Add-support-for-kernel-module-compression.patch to
support kernel module compression (bsc#1135854)
support kernel module compression (bsc#1135854, jsc#SLE-16661)
-------------------------------------------------------------------
Fri May 17 14:00:08 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>

6
pesign-obs-integration.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package pesign-obs-integration
#
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -25,6 +25,10 @@ License: GPL-2.0-only
Group: Development/Tools/Other
URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
Source: %{name}-%{version}.tar.gz
Patch1: 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
Patch2: 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
Patch3: 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
Patch4: 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
BuildRequires: openssl
Requires: fipscheck
Requires: mozilla-nss-tools