^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) ==================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) Digital Signature Verification API
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) ==================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) :Author: Dmitry Kasatkin
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) :Date: 06.10.2011
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) .. CONTENTS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) 1. Introduction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) 2. API
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) 3. User-space utilities
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) Introduction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) ============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) Digital signature verification API provides a method to verify digital signature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) Currently digital signatures are used by the IMA/EVM integrity protection subsystem.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) Digital signature verification is implemented using cut-down kernel port of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) GnuPG multi-precision integers (MPI) library. The kernel port provides
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) memory allocation errors handling, has been refactored according to kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) coding style, and checkpatch.pl reported errors and warnings have been fixed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) Public key and signature consist of header and MPIs::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) struct pubkey_hdr {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) uint8_t version; /* key format version */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) time_t timestamp; /* key made, always 0 for now */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) uint8_t algo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) uint8_t nmpi;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) char mpi[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) } __packed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) struct signature_hdr {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) uint8_t version; /* signature format version */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) time_t timestamp; /* signature made */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) uint8_t algo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) uint8_t hash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) uint8_t keyid[8];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) uint8_t nmpi;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) char mpi[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) } __packed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) keyid equals to SHA1[12-19] over the total key content.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) Signature header is used as an input to generate a signature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) Such approach insures that key or signature header could not be changed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) It protects timestamp from been changed and can be used for rollback
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) protection.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) API
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) ===
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) API currently includes only 1 function::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) digsig_verify() - digital signature verification with public key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) * digsig_verify() - digital signature verification with public key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) * @keyring: keyring to search key in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) * @sig: digital signature
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) * @sigen: length of the signature
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) * @data: data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) * @datalen: length of the data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) * @return: 0 on success, -EINVAL otherwise
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) * Verifies data integrity against digital signature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) * Currently only RSA is supported.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) * Normally hash of the content is used as a data for this function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) int digsig_verify(struct key *keyring, const char *sig, int siglen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) const char *data, int datalen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) User-space utilities
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) ====================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) The signing and key management utilities evm-utils provide functionality
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) to generate signatures, to load keys into the kernel keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) Keys can be in PEM or converted to the kernel format.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) When the key is added to the kernel keyring, the keyid defines the name
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) of the key: 5D2B05FC633EE3E8 in the example bellow.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) Here is example output of the keyctl utility::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) $ keyctl show
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) Session Keyring
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) -3 --alswrv 0 0 keyring: _ses
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) 603976250 --alswrv 0 -1 \_ keyring: _uid.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) 817777377 --alswrv 0 0 \_ user: kmk
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) 891974900 --alswrv 0 0 \_ encrypted: evm-key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) 170323636 --alswrv 0 0 \_ keyring: _module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) 548221616 --alswrv 0 0 \_ keyring: _ima
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) 128198054 --alswrv 0 0 \_ keyring: _evm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) $ keyctl list 128198054
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 1 key in keyring:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 620789745: --alswrv 0 0 user: 5D2B05FC633EE3E8
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags