diff -pruN 0.9.4-3.1/debian/changelog 0.9.4-3.1ubuntu2/debian/changelog --- 0.9.4-3.1/debian/changelog 2022-06-04 11:37:27.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/changelog 2022-11-21 11:30:41.000000000 +0000 @@ -1,3 +1,26 @@ +sbsigntool (0.9.4-3.1ubuntu2) lunar; urgency=medium + + * Add support for certificate bundles in sbverify. LP: #1997232 + + -- Dimitri John Ledkov Mon, 21 Nov 2022 11:30:41 +0000 + +sbsigntool (0.9.4-3.1ubuntu1) kinetic; urgency=medium + + * Merge from Debian unstable to restore Ubuntu delta (LP: #1980057) + Remaining changes: + - d/p/ubuntu-kernel-module-signing.patch (rebased on 0.9.4) and + d/p/ubuntu-kernel-module-signing-fixes.patch (rebased on 0.9.4): + add the kernel module signing tool to the package. + - d/p/ubuntu-clear-image-before-use.patch: avoid use of uninitialised + data causing a startup crash. + - dp/sbkeysync-Don-t-ignore-errors-from-insert_new_keys.patch: exit non-zero + upon key insertion failure + Dropped changes, applied in Debian: + - Disable -Werror on deprecation warnings for the OpenSSL transition + - Apply patch to fix the OpenSSL3 build + + -- Simon Chopin Tue, 28 Jun 2022 10:20:23 +0200 + sbsigntool (0.9.4-3.1) unstable; urgency=medium * Non-maintainer upload @@ -16,6 +39,27 @@ sbsigntool (0.9.4-3) unstable; urgency=m -- Julian Andres Klode Tue, 14 Sep 2021 08:39:01 +0200 +sbsigntool (0.9.4-2ubuntu2) jammy; urgency=medium + + * Disable -Werror on deprecation warnings for the OpenSSL transition + * Apply patch to fix the OpenSSL3 build (LP: #1946193) + + -- Simon Chopin Fri, 05 Nov 2021 18:32:24 +0100 + +sbsigntool (0.9.4-2ubuntu1) impish; urgency=medium + + * Merge from Debian unstable (LP: #1941888) + Remaining changes: + - d/p/ubuntu-kernel-module-signing.patch (rebased on 0.9.4) and + d/p/ubuntu-kernel-module-signing-fixes.patch (rebased on 0.9.4): + add the kernel module signing tool to the package. + - d/p/ubuntu-clear-image-before-use.patch: avoid use of uninitialised + data causing a startup crash. + - dp/sbkeysync-Don-t-ignore-errors-from-insert_new_keys.patch: exit non-zero + upon key insertion failure + + -- Heinrich Schuchardt Wed, 18 Aug 2021 09:47:17 +0200 + sbsigntool (0.9.4-2) experimental; urgency=medium * Add patch for RISC-V support. @@ -36,6 +80,41 @@ sbsigntool (0.9.4-1) experimental; urgen -- Julian Andres Klode Mon, 02 Aug 2021 13:31:02 +0200 +sbsigntool (0.9.2-2ubuntu4) groovy; urgency=medium + + * Add a Breaks for secureboot-db versions that did not yet have a + secureboot-db.service that permits a non-zero sbkeysync exitcode. + + -- dann frazier Wed, 26 Aug 2020 15:57:13 -0600 + +sbsigntool (0.9.2-2ubuntu3) groovy; urgency=medium + + * sbkeysync: exit non-zero upon key insertion failure. (LP: #1892797) + + -- dann frazier Mon, 24 Aug 2020 18:35:41 -0600 + +sbsigntool (0.9.2-2ubuntu2) groovy; urgency=medium + + * No change rebuild against new CET ABI. + + -- Dimitri John Ledkov Fri, 10 Jul 2020 18:29:28 +0100 + +sbsigntool (0.9.2-2ubuntu1) eoan; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/p/ubuntu-kernel-module-signing.patch and + d/p/ubuntu-kernel-module-signing-fixes.patch: add the kernel module + signing tool to the package. + - d/p/ubuntu-clear-image-before-use.patch: avoid use of uninitialised + data causing a startup crash. + * Dropped changes, included upstream: + - d/p/ubuntu-handle-odd-buffer-lengths-in-checksum.patch: correctly + handle odd byte length buffers. + * Dropped changes, obsoleted upstream: + - d/p/ubuntu-tests-disable-pie.patch: disable PIE + + -- Steve Langasek Fri, 03 May 2019 16:12:28 -0700 + sbsigntool (0.9.2-2) unstable; urgency=medium * Change Maintainer to be the EFI team, with Pierre and me as Uploaders @@ -56,6 +135,26 @@ sbsigntool (0.9.2-1) unstable; urgency=m -- Pierre Chifflier Mon, 21 Jan 2019 21:20:40 +0100 +sbsigntool (0.6-3.2ubuntu2) bionic; urgency=high + + * No change rebuild against openssl1.1. + + -- Dimitri John Ledkov Mon, 05 Feb 2018 16:53:19 +0000 + +sbsigntool (0.6-3.2ubuntu1) artful; urgency=low + + * Merge with Debian unstable, remaining changes: + - d/p/ubuntu-handle-odd-buffer-lengths-in-checksum.patch: correctly + handle odd byte length buffers. + - d/p/ubuntu-kernel-module-signing.patch and + d/p/ubuntu-kernel-module-signing-fixes.patch: add the kernel module + signing tool to the package. + - d/p/ubuntu-tests-disable-pie.patch: disable PIE + - d/p/ubuntu-clear-image-before-use.patch: avoid use of uninitialised + data causing a startup crash. + + -- Andy Whitcroft Fri, 28 Apr 2017 08:40:27 +0100 + sbsigntool (0.6-3.2) unstable; urgency=medium * Non-maintainer upload. @@ -99,3 +198,141 @@ sbsigntool (0.6-1) unstable; urgency=low * Initial release (Closes: #702254) -- Pierre Chifflier Wed, 23 Sep 2015 08:40:56 +0200 + +sbsigntool (0.6-0ubuntu12) yakkety; urgency=low + + * debian/patches/ubuntu-kernel-module-signing-fixes.patch: add help + and update program name. This is used to generate the new manual page. + + -- Andy Whitcroft Tue, 17 May 2016 13:23:47 +0100 + +sbsigntool (0.6-0ubuntu11) yakkety; urgency=medium + + * debian/patches/ubuntu-kernel-module-signing.patch: add signing support + programs for Ubuntu archive signing. (LP: #1579766) + * tests: disable PIE mode when building examples for signing. + * src/image.c: ensure we zero image objects on allocation. + + -- Andy Whitcroft Mon, 09 May 2016 14:25:49 +0100 + +sbsigntool (0.6-0ubuntu10) xenial; urgency=medium + + * debian/patches/sbverify_clear_out_cert_content.patch: clear out the + contents part of the certificate we're building for signature verification + from the EFI binary, in sbverify; OpenSSL 1.0.2e now enforces that there + isn't data and content sections together. Thanks to Marc Deslauriers for + help investigating this. (LP: #1526959) + + -- Mathieu Trudel-Lapierre Thu, 17 Dec 2015 14:55:09 -0500 + +sbsigntool (0.6-0ubuntu9) xenial; urgency=medium + + [ Linn Crosetto ] + * debian/patches/0001-Handle-odd-buffer-lengths-in-checksum.patch: + Fix checksum when handling buffers of odd length. LP: #1511108 + + -- Michael Terry Thu, 19 Nov 2015 16:32:19 -0500 + +sbsigntool (0.6-0ubuntu8) wily; urgency=medium + + * debian/patches/0001-Support-openssl-1.0.2b-and-above.patch: [PATCH] + Support openssl 1.0.2b and above. Thanks to Marc Deslauriers + . LP: #1474541. + + -- Steve Langasek Wed, 15 Jul 2015 08:57:46 -0700 + +sbsigntool (0.6-0ubuntu7) trusty; urgency=medium + + * debian/patches/del-duplicate-define.patch: Remove duplicate define. + * debian/patches/zero-sized-sections.patch: Fix failure in sbsigntool + when it encouters zero-sized PE/COFF image sections (LP: #1252288). + * debian/patches/arm-arm64-support.patch: Support signing ARM images. + + -- Adam Conrad Tue, 15 Apr 2014 14:54:42 +0100 + +sbsigntool (0.6-0ubuntu6) trusty; urgency=low + + * debian/patches/add_corrected_efivars_magic.patch: Cherry-picked upstream + fix to add corrected efivars magic (LP: #1257305) + + -- Jean-Baptiste Lallement Tue, 03 Dec 2013 15:50:45 +0100 + +sbsigntool (0.6-0ubuntu5) saucy; urgency=low + + * debian/patches/ignore-certificate-expiries.patch: ignore certificate + expiries when verifying signatures. Closes LP: #1234649. + + -- Steve Langasek Fri, 04 Oct 2013 01:43:03 +0000 + +sbsigntool (0.6-0ubuntu4) saucy; urgency=low + + * debian/patches/efi_arch_ia32.patch: Use AC_CANONICAL_HOST, not uname -m, + to determine target. Closes LP: #1066038. + * debian/patches/Align-signature-data-to-8-bytes.patch: Align signature + data to 8 bytes. This matches the Microsoft signing implementation, + which enables us to use sbattach to verify the integrity of the binaries + returned by the SysDev signing service. + * debian/patches/update_checksums.patch: make sure we update the PE checksum + field as well, also needed for matching the Microsoft signing + implementation. + * debian/patches/fix-signature-padding.patch: fix calculation of the + size of our signature data, so that we don't write out extra zeroes + when we detach a signature. + + -- Steve Langasek Fri, 23 Aug 2013 21:07:17 -0700 + +sbsigntool (0.6-0ubuntu3) saucy; urgency=low + + * Build-depend on gcc-multilib to support building the test suite. + + -- Colin Watson Mon, 17 Jun 2013 11:53:31 +0100 + +sbsigntool (0.6-0ubuntu2) raring; urgency=low + + * Mark sbsigntool Multi-Arch: foreign. + + -- Colin Watson Tue, 08 Jan 2013 12:20:42 +0000 + +sbsigntool (0.6-0ubuntu1) quantal; urgency=low + + * New upstream release. + - Uses the new mount point for the efivars directory, for compatibility + with the pending upstream kernel patches and compatibility with what + mountall is doing. LP: #1063061. + - Fixes sbverify verification of the pkcs7 bundles that Microsoft-signed + binaries deliver to us, enabling us to do build-time verification of + shim-signed. + + -- Steve Langasek Thu, 11 Oct 2012 17:24:56 -0700 + +sbsigntool (0.4-0ubuntu2) quantal; urgency=low + + * Fix FTBFS on i386 by defining EFI_ARCH to ia32 instead of uname. + + -- Adam Conrad Tue, 02 Oct 2012 07:44:59 -0600 + +sbsigntool (0.4-0ubuntu1) quantal; urgency=low + + * New upstream release. + * Add new uuid-dev and gnu-efi build dependancies. + + -- Andy Whitcroft Tue, 02 Oct 2012 10:15:17 +0100 + +sbsigntool (0.3-0ubuntu2) quantal; urgency=low + + * Only build on amd64 and i386 (LP: #1020771). + + -- Colin Watson Mon, 01 Oct 2012 10:53:56 +0100 + +sbsigntool (0.3-0ubuntu1) quantal; urgency=low + + * New upstream release. + + -- Steve Langasek Sat, 30 Jun 2012 01:37:52 +0000 + +sbsigntool (0.2-0ubuntu1) quantal; urgency=low + + * Initial release. + + -- Steve Langasek Thu, 28 Jun 2012 01:47:06 +0000 + diff -pruN 0.9.4-3.1/debian/control 0.9.4-3.1ubuntu2/debian/control --- 0.9.4-3.1/debian/control 2021-09-14 06:39:01.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/control 2021-08-18 07:47:17.000000000 +0000 @@ -1,7 +1,8 @@ Source: sbsigntool Section: utils Priority: optional -Maintainer: Debian EFI Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian EFI Team Uploaders: Pierre Chifflier , Steve McIntyre <93sam@debian.org> Build-Depends: debhelper-compat (= 13), diff -pruN 0.9.4-3.1/debian/patches/0001-sbverify-support-certificate-bundle.patch 0.9.4-3.1ubuntu2/debian/patches/0001-sbverify-support-certificate-bundle.patch --- 0.9.4-3.1/debian/patches/0001-sbverify-support-certificate-bundle.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/patches/0001-sbverify-support-certificate-bundle.patch 2022-11-21 11:22:28.000000000 +0000 @@ -0,0 +1,128 @@ +From d0de9bf9aa7f32f848350536d8c38732d888e0e5 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Mon, 21 Nov 2022 10:53:49 +0000 +Subject: [PATCH] sbverify: support certificate bundle + +It is often convenient to have a single cert bundle, and verify +binaries against it. For example, a cert bundle of all the +certificates in shim+db+mok, and then verify if a binary passes +verification and thus will boot. Or a cert bundle of all the dbx+mokx +certs and check if a given binary will not boot, if verification +passes. + +This is similar to some of the openssl commands that also support +loading cert-bundles for verification. + +Signed-off-by: Dimitri John Ledkov +--- + src/fileio.c | 33 +++++++++++++++++++++++++++++++++ + src/fileio.h | 1 + + src/sbverify.c | 14 +------------- + tests/sign-verify.sh | 3 +++ + 4 files changed, 38 insertions(+), 13 deletions(-) + +diff --git a/src/fileio.c b/src/fileio.c +index 032eb1e2fd..3b5996c86c 100644 +--- a/src/fileio.c ++++ b/src/fileio.c +@@ -138,6 +138,39 @@ out: + return cert; + } + ++int fileio_read_certs(X509_STORE *certs, const char *filename) ++{ ++ X509 *cert = NULL; ++ BIO *bio; ++ int rc = 0; ++ ++ bio = BIO_new_file(filename, "r"); ++ if (!bio) ++ goto out; ++ ++ while (1) { ++ cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); ++ if (!cert) { ++ unsigned long err = ERR_peek_last_error(); ++ if (ERR_GET_LIB(err) == ERR_LIB_PEM && ++ ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { ++ ERR_clear_error(); ++ break; ++ } ++ fprintf(stderr, "Can't load certificate from file '%s'\n", ++ filename); ++ ERR_print_errors_fp(stderr); ++ rc = -1; ++ goto out; ++ } ++ X509_STORE_add_cert(certs, cert); ++ } ++ ++out: ++ BIO_free_all(bio); ++ return rc; ++} ++ + static int __fileio_read_file(void *ctx, const char *filename, + uint8_t **out_buf, size_t *out_len, int flags) + { +diff --git a/src/fileio.h b/src/fileio.h +index b3ed22cea9..37f4a94ef6 100644 +--- a/src/fileio.h ++++ b/src/fileio.h +@@ -40,6 +40,7 @@ + EVP_PKEY *fileio_read_pkey(const char *filename); + EVP_PKEY *fileio_read_engine_key(const char *engine, const char *filename); + X509 *fileio_read_cert(const char *filename); ++int fileio_read_certs(X509_STORE *certs, const char *filename); + + int fileio_read_file(void *ctx, const char *filename, + uint8_t **out_buf, size_t *out_len); +diff --git a/src/sbverify.c b/src/sbverify.c +index 8f14f35260..c9d1b85719 100644 +--- a/src/sbverify.c ++++ b/src/sbverify.c +@@ -102,18 +102,6 @@ static void version(void) + printf("%s %s\n", toolname, VERSION); + } + +-int load_cert(X509_STORE *certs, const char *filename) +-{ +- X509 *cert; +- +- cert = fileio_read_cert(filename); +- if (!cert) +- return -1; +- +- X509_STORE_add_cert(certs, cert); +- return 0; +-} +- + static void print_signature_info(PKCS7 *p7) + { + char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1]; +@@ -271,7 +259,7 @@ int main(int argc, char **argv) + + switch (c) { + case 'c': +- rc = load_cert(certs, optarg); ++ rc = fileio_read_certs(certs, optarg); + if (rc) + return EXIT_FAILURE; + break; +diff --git a/tests/sign-verify.sh b/tests/sign-verify.sh +index a61aff82ef..c4fde450ff 100755 +--- a/tests/sign-verify.sh ++++ b/tests/sign-verify.sh +@@ -8,6 +8,9 @@ signed="test.signed" + # there's no intermediate cert in the image so it can't chain to the ca which + # is why this should fail + "$sbverify" --cert "$cacert" "$signed" && exit 1 ++# check that verification with a bundle of certs works ++"$sbverify" --verbose --verbose --cert <(cat "$intcert" "$cacert") "$signed" || exit 1 ++"$sbverify" --verbose --verbose --cert <(cat "$cacert" "$intcert") "$signed" || exit 1 + + # now add the intermediates and each level should succeed + "$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1 +-- +2.34.1 + diff -pruN 0.9.4-3.1/debian/patches/OpenSSL3.patch 0.9.4-3.1ubuntu2/debian/patches/OpenSSL3.patch --- 0.9.4-3.1/debian/patches/OpenSSL3.patch 2022-06-04 11:36:45.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/patches/OpenSSL3.patch 2021-11-05 17:32:24.000000000 +0000 @@ -1,4 +1,4 @@ -Subject: Fix openssl-3.0 issue involving ASN1 xxx_it +Subject: [PATCH] Fix openssl-3.0 issue involving ASN1 xxx_it From: Jeremi Piotrowski Origin: https://groups.io/g/sbsigntools/message/54 @@ -30,3 +30,6 @@ index 6d87bd4..0a82218 100644 idc->digest->alg->parameter = ASN1_TYPE_new(); idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256); +-- +2.25.1 + diff -pruN 0.9.4-3.1/debian/patches/sbkeysync-Don-t-ignore-errors-from-insert_new_keys.patch 0.9.4-3.1ubuntu2/debian/patches/sbkeysync-Don-t-ignore-errors-from-insert_new_keys.patch --- 0.9.4-3.1/debian/patches/sbkeysync-Don-t-ignore-errors-from-insert_new_keys.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/patches/sbkeysync-Don-t-ignore-errors-from-insert_new_keys.patch 2021-08-18 07:47:17.000000000 +0000 @@ -0,0 +1,58 @@ +From 5805cce93c71b8acca676b5e9521be58811216c3 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Wed, 5 Aug 2020 14:52:19 -0600 +Subject: [PATCH] sbkeysync: Don't ignore errors from insert_new_keys() + +If insert_new_keys() fails, say due to a full variable store, we currently +still exit(0). This can make it difficult to know something is wrong. +For example, Debian and Ubuntu implement a secureboot-db systemd service +to update the DB and DBX, which calls: + + ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +But although this seemed to succeed on my system, looking at the logs shows +a different story: + +Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx +Error writing key update: Invalid argument +Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin + +Signed-off-by: dann frazier +--- + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968974 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1892797 +Origin: upstream,https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826 +Last-Updated: 2020-08-24 + +Index: sbsigntool-0.9.2/src/sbkeysync.c +=================================================================== +--- sbsigntool-0.9.2.orig/src/sbkeysync.c ++++ sbsigntool-0.9.2/src/sbkeysync.c +@@ -883,10 +883,12 @@ int main(int argc, char **argv) + { + bool use_default_keystore_dirs; + struct sync_context *ctx; ++ int rc; + + use_default_keystore_dirs = true; + ctx = talloc_zero(NULL, struct sync_context); + list_head_init(&ctx->new_keys); ++ rc = EXIT_SUCCESS; + + for (;;) { + int idx, c; +@@ -975,10 +977,10 @@ int main(int argc, char **argv) + if (ctx->verbose) + print_new_keys(ctx); + +- if (!ctx->dry_run) +- insert_new_keys(ctx); ++ if (!ctx->dry_run && insert_new_keys(ctx)) ++ rc = EXIT_FAILURE; + + talloc_free(ctx); + +- return EXIT_SUCCESS; ++ return rc; + } diff -pruN 0.9.4-3.1/debian/patches/series 0.9.4-3.1ubuntu2/debian/patches/series --- 0.9.4-3.1/debian/patches/series 2022-06-04 11:36:09.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/patches/series 2022-11-21 11:22:28.000000000 +0000 @@ -1,4 +1,9 @@ sbsign_check_write_return.patch fix-efi-arch-detection.patch 0001-sbsigntool-add-support-for-RISC-V-images.patch +sbkeysync-Don-t-ignore-errors-from-insert_new_keys.patch +ubuntu-kernel-module-signing.patch +ubuntu-kernel-module-signing-fixes.patch +ubuntu-clear-image-before-use.patch OpenSSL3.patch +0001-sbverify-support-certificate-bundle.patch diff -pruN 0.9.4-3.1/debian/patches/ubuntu-clear-image-before-use.patch 0.9.4-3.1ubuntu2/debian/patches/ubuntu-clear-image-before-use.patch --- 0.9.4-3.1/debian/patches/ubuntu-clear-image-before-use.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/patches/ubuntu-clear-image-before-use.patch 2021-08-18 07:47:17.000000000 +0000 @@ -0,0 +1,17 @@ +Description: clear image before use + We rely on the image being clear as we will attempt to free + cirtain elements before reuse. Switch to a zeroing allocate. +Author: Andy Whitcroft +Last-Update: 2016-05-09 + +--- a/src/image.c ++++ b/src/image.c +@@ -462,7 +462,7 @@ + struct image *image; + int rc; + +- image = talloc(NULL, struct image); ++ image = talloc_zero(NULL, struct image); + if (!image) { + perror("talloc(image)"); + return NULL; diff -pruN 0.9.4-3.1/debian/patches/ubuntu-kernel-module-signing-fixes.patch 0.9.4-3.1ubuntu2/debian/patches/ubuntu-kernel-module-signing-fixes.patch --- 0.9.4-3.1/debian/patches/ubuntu-kernel-module-signing-fixes.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/patches/ubuntu-kernel-module-signing-fixes.patch 2021-08-18 07:47:17.000000000 +0000 @@ -0,0 +1,118 @@ +Description: Ubunty kernel module signing fixes + Separate out any local fixes we need to kmodsign.c to allow us to update + it more easily from mainline when necessary. +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1526959 +Forwarded: not-needed +Author: Andy Whitcroft +Last-Update: 2016-05-17 + +--- a/src/kmodsign.c ++++ b/src/kmodsign.c +@@ -62,11 +62,26 @@ + + static char magic_number[] = "~Module signature appended~\n"; + ++static void usage(void) ++{ ++ printf("Usage: kmodsign [-dpkD] []\n" ++ "Sign a kernel module image for use with an enforcing kernel.\n\n" ++ "Options:\n" ++ "\t-p save a copy of the p7s signature (.p7s)\n" ++ "\t-d produce a detached signature file (.p7s) only\n" ++ "\t-D produce a full detached signature block\n" ++ "\t (may be cat'd onto the end of a module)\n" ++ "\t-k switch to using keyid for identification\n"); ++} ++static void version(void) ++{ ++ printf("kmodsign 4.4\n"); ++} ++ + static __attribute__((noreturn)) + void format(void) + { +- fprintf(stderr, +- "Usage: scripts/sign-file [-dp] []\n"); ++ usage(); + exit(2); + } + +@@ -107,7 +122,8 @@ + + static const char *key_pass; + +-static int pem_pw_cb(char *buf, int len, int w, void *v) ++static int pem_pw_cb(char *buf, int len, int w __attribute__((unused)), ++ void *v __attribute__((unused))) + { + int pwlen; + +@@ -126,6 +142,12 @@ + return pwlen; + } + ++static struct option options[] = { ++ { "version", no_argument, NULL, 'V' }, ++ { "help", no_argument, NULL, 'h' }, ++ { NULL, 0, NULL, 0 }, ++}; ++ + int main(int argc, char **argv) + { + struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; +@@ -133,6 +155,7 @@ + char *private_key_name, *x509_name, *module_name, *dest_name; + bool save_sig = false, replace_orig; + bool sign_only = false; ++ bool detached = false; + unsigned char buf[4096]; + unsigned long module_size, sig_size; + unsigned int use_signed_attrs; +@@ -160,13 +183,17 @@ + #endif + + do { +- opt = getopt(argc, argv, "dpk"); ++ int idx; ++ opt = getopt_long(argc, argv, "dpkDhV", options, &idx); + switch (opt) { + case 'p': save_sig = true; break; + case 'd': sign_only = true; save_sig = true; break; ++ case 'D': detached = true; break; + #ifndef USE_PKCS7 + case 'k': use_keyid = CMS_USE_KEYID; break; + #endif ++ case 'V': version(); exit(0); break; ++ case 'h': usage(); exit(0); break; + case -1: break; + default: format(); + } +@@ -192,7 +219,7 @@ + + #ifdef USE_PKCS7 + if (strcmp(hash_algo, "sha1") != 0) { +- fprintf(stderr, "sign-file: %s only supports SHA1 signing\n", ++ fprintf(stderr, "kmodsign %s only supports SHA1 signing\n", + OPENSSL_VERSION_TEXT); + exit(3); + } +@@ -295,12 +322,14 @@ + return 0; + + /* Append the marker and the PKCS#7 message to the destination file */ +- ERR(BIO_reset(bm) < 0, "%s", module_name); +- while ((n = BIO_read(bm, buf, sizeof(buf))), +- n > 0) { +- ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name); ++ if (!detached) { ++ ERR(BIO_reset(bm) < 0, "%s", module_name); ++ while ((n = BIO_read(bm, buf, sizeof(buf))), ++ n > 0) { ++ ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name); ++ } ++ ERR(n < 0, "%s", module_name); + } +- ERR(n < 0, "%s", module_name); + module_size = BIO_number_written(bd); + + #ifndef USE_PKCS7 diff -pruN 0.9.4-3.1/debian/patches/ubuntu-kernel-module-signing.patch 0.9.4-3.1ubuntu2/debian/patches/ubuntu-kernel-module-signing.patch --- 0.9.4-3.1/debian/patches/ubuntu-kernel-module-signing.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.4-3.1ubuntu2/debian/patches/ubuntu-kernel-module-signing.patch 2021-08-18 07:47:17.000000000 +0000 @@ -0,0 +1,370 @@ +Description: Ubuntu kernel module signing + Add the kmodsign (sign-file from the upstream linux kernel) + so that we can use it for external module signing. +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1526959 +Forwarded: not-needed +Author: Andy Whitcroft +Last-Update: 2016-05-17 + +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,5 +1,5 @@ + +-bin_PROGRAMS = sbsign sbverify sbattach sbvarsign sbsiglist sbkeysync ++bin_PROGRAMS = sbsign sbverify sbattach sbvarsign sbsiglist sbkeysync kmodsign + + coff_headers = coff/external.h coff/pe.h + AM_CFLAGS = -Wall -Wextra --std=gnu99 +@@ -35,3 +35,7 @@ + sbkeysync_LDADD = $(common_LDADD) $(uuid_LIBS) + sbkeysync_CPPFLAGS = $(EFI_CPPFLAGS) + sbkeysync_CFLAGS = $(AM_CFLAGS) $(common_CFLAGS) ++ ++kmodsign_SOURCES = kmodsign.c ++kmodsign_LDADD = -lcrypto ++kmodsign_CFLAGS = $(AM_CFLAGS) $(common_CFLAGS) +--- /dev/null ++++ b/src/kmodsign.c +@@ -0,0 +1,323 @@ ++/* Sign a module file using the given key. ++ * ++ * Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved. ++ * Copyright © 2015 Intel Corporation. ++ * ++ * Authors: David Howells ++ * David Woodhouse ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 ++ * of the licence, or (at your option) any later version. ++ */ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* ++ * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to ++ * assume that it's not available and its header file is missing and that we ++ * should use PKCS#7 instead. Switching to the older PKCS#7 format restricts ++ * the options we have on specifying the X.509 certificate we want. ++ * ++ * Further, older versions of OpenSSL don't support manually adding signers to ++ * the PKCS#7 message so have to accept that we get a certificate included in ++ * the signature message. Nor do such older versions of OpenSSL support ++ * signing with anything other than SHA1 - so we're stuck with that if such is ++ * the case. ++ */ ++#if OPENSSL_VERSION_NUMBER < 0x10000000L ++#define USE_PKCS7 ++#endif ++#ifndef USE_PKCS7 ++#include ++#else ++#include ++#endif ++ ++struct module_signature { ++ uint8_t algo; /* Public-key crypto algorithm [0] */ ++ uint8_t hash; /* Digest algorithm [0] */ ++ uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */ ++ uint8_t signer_len; /* Length of signer's name [0] */ ++ uint8_t key_id_len; /* Length of key identifier [0] */ ++ uint8_t __pad[3]; ++ uint32_t sig_len; /* Length of signature data */ ++}; ++ ++#define PKEY_ID_PKCS7 2 ++ ++static char magic_number[] = "~Module signature appended~\n"; ++ ++static __attribute__((noreturn)) ++void format(void) ++{ ++ fprintf(stderr, ++ "Usage: scripts/sign-file [-dp] []\n"); ++ exit(2); ++} ++ ++static void display_openssl_errors(int l) ++{ ++ const char *file; ++ char buf[120]; ++ int e, line; ++ ++ if (ERR_peek_error() == 0) ++ return; ++ fprintf(stderr, "At main.c:%d:\n", l); ++ ++ while ((e = ERR_get_error_line(&file, &line))) { ++ ERR_error_string(e, buf); ++ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); ++ } ++} ++ ++static void drain_openssl_errors(void) ++{ ++ const char *file; ++ int line; ++ ++ if (ERR_peek_error() == 0) ++ return; ++ while (ERR_get_error_line(&file, &line)) {} ++} ++ ++#define ERR(cond, fmt, ...) \ ++ do { \ ++ bool __cond = (cond); \ ++ display_openssl_errors(__LINE__); \ ++ if (__cond) { \ ++ err(1, fmt, ## __VA_ARGS__); \ ++ } \ ++ } while(0) ++ ++static const char *key_pass; ++ ++static int pem_pw_cb(char *buf, int len, int w, void *v) ++{ ++ int pwlen; ++ ++ if (!key_pass) ++ return -1; ++ ++ pwlen = strlen(key_pass); ++ if (pwlen >= len) ++ return -1; ++ ++ strcpy(buf, key_pass); ++ ++ /* If it's wrong, don't keep trying it. */ ++ key_pass = NULL; ++ ++ return pwlen; ++} ++ ++int main(int argc, char **argv) ++{ ++ struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; ++ char *hash_algo = NULL; ++ char *private_key_name, *x509_name, *module_name, *dest_name; ++ bool save_sig = false, replace_orig; ++ bool sign_only = false; ++ unsigned char buf[4096]; ++ unsigned long module_size, sig_size; ++ unsigned int use_signed_attrs; ++ const EVP_MD *digest_algo; ++ EVP_PKEY *private_key; ++#ifndef USE_PKCS7 ++ CMS_ContentInfo *cms; ++ unsigned int use_keyid = 0; ++#else ++ PKCS7 *pkcs7; ++#endif ++ X509 *x509; ++ BIO *b, *bd = NULL, *bm; ++ int opt, n; ++ OpenSSL_add_all_algorithms(); ++ ERR_load_crypto_strings(); ++ ERR_clear_error(); ++ ++ key_pass = getenv("KBUILD_SIGN_PIN"); ++ ++#ifndef USE_PKCS7 ++ use_signed_attrs = CMS_NOATTR; ++#else ++ use_signed_attrs = PKCS7_NOATTR; ++#endif ++ ++ do { ++ opt = getopt(argc, argv, "dpk"); ++ switch (opt) { ++ case 'p': save_sig = true; break; ++ case 'd': sign_only = true; save_sig = true; break; ++#ifndef USE_PKCS7 ++ case 'k': use_keyid = CMS_USE_KEYID; break; ++#endif ++ case -1: break; ++ default: format(); ++ } ++ } while (opt != -1); ++ ++ argc -= optind; ++ argv += optind; ++ if (argc < 4 || argc > 5) ++ format(); ++ ++ hash_algo = argv[0]; ++ private_key_name = argv[1]; ++ x509_name = argv[2]; ++ module_name = argv[3]; ++ if (argc == 5) { ++ dest_name = argv[4]; ++ replace_orig = false; ++ } else { ++ ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0, ++ "asprintf"); ++ replace_orig = true; ++ } ++ ++#ifdef USE_PKCS7 ++ if (strcmp(hash_algo, "sha1") != 0) { ++ fprintf(stderr, "sign-file: %s only supports SHA1 signing\n", ++ OPENSSL_VERSION_TEXT); ++ exit(3); ++ } ++#endif ++ ++ /* Read the private key and the X.509 cert the PKCS#7 message ++ * will point to. ++ */ ++ if (!strncmp(private_key_name, "pkcs11:", 7)) { ++ ENGINE *e; ++ ++ ENGINE_load_builtin_engines(); ++ drain_openssl_errors(); ++ e = ENGINE_by_id("pkcs11"); ++ ERR(!e, "Load PKCS#11 ENGINE"); ++ if (ENGINE_init(e)) ++ drain_openssl_errors(); ++ else ++ ERR(1, "ENGINE_init"); ++ if (key_pass) ++ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); ++ private_key = ENGINE_load_private_key(e, private_key_name, NULL, ++ NULL); ++ ERR(!private_key, "%s", private_key_name); ++ } else { ++ b = BIO_new_file(private_key_name, "rb"); ++ ERR(!b, "%s", private_key_name); ++ private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); ++ ERR(!private_key, "%s", private_key_name); ++ BIO_free(b); ++ } ++ ++ b = BIO_new_file(x509_name, "rb"); ++ ERR(!b, "%s", x509_name); ++ x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */ ++ if (!x509) { ++ ERR(BIO_reset(b) != 1, "%s", x509_name); ++ x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */ ++ if (x509) ++ drain_openssl_errors(); ++ } ++ BIO_free(b); ++ ERR(!x509, "%s", x509_name); ++ ++ /* Open the destination file now so that we can shovel the module data ++ * across as we read it. ++ */ ++ if (!sign_only) { ++ bd = BIO_new_file(dest_name, "wb"); ++ ERR(!bd, "%s", dest_name); ++ } ++ ++ /* Digest the module data. */ ++ OpenSSL_add_all_digests(); ++ display_openssl_errors(__LINE__); ++ digest_algo = EVP_get_digestbyname(hash_algo); ++ ERR(!digest_algo, "EVP_get_digestbyname"); ++ ++ bm = BIO_new_file(module_name, "rb"); ++ ERR(!bm, "%s", module_name); ++ ++#ifndef USE_PKCS7 ++ /* Load the signature message from the digest buffer. */ ++ cms = CMS_sign(NULL, NULL, NULL, NULL, ++ CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM); ++ ERR(!cms, "CMS_sign"); ++ ++ ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, ++ CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP | ++ use_keyid | use_signed_attrs), ++ "CMS_add1_signer"); ++ ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0, ++ "CMS_final"); ++ ++#else ++ pkcs7 = PKCS7_sign(x509, private_key, NULL, bm, ++ PKCS7_NOCERTS | PKCS7_BINARY | ++ PKCS7_DETACHED | use_signed_attrs); ++ ERR(!pkcs7, "PKCS7_sign"); ++#endif ++ ++ if (save_sig) { ++ char *sig_file_name; ++ ++ ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0, ++ "asprintf"); ++ b = BIO_new_file(sig_file_name, "wb"); ++ ERR(!b, "%s", sig_file_name); ++#ifndef USE_PKCS7 ++ ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, ++ "%s", sig_file_name); ++#else ++ ERR(i2d_PKCS7_bio(b, pkcs7) < 0, ++ "%s", sig_file_name); ++#endif ++ BIO_free(b); ++ } ++ ++ if (sign_only) ++ return 0; ++ ++ /* Append the marker and the PKCS#7 message to the destination file */ ++ ERR(BIO_reset(bm) < 0, "%s", module_name); ++ while ((n = BIO_read(bm, buf, sizeof(buf))), ++ n > 0) { ++ ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name); ++ } ++ ERR(n < 0, "%s", module_name); ++ module_size = BIO_number_written(bd); ++ ++#ifndef USE_PKCS7 ++ ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name); ++#else ++ ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name); ++#endif ++ sig_size = BIO_number_written(bd) - module_size; ++ sig_info.sig_len = htonl(sig_size); ++ ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name); ++ ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name); ++ ++ ERR(BIO_free(bd) < 0, "%s", dest_name); ++ ++ /* Finally, if we're signing in place, replace the original. */ ++ if (replace_orig) ++ ERR(rename(dest_name, module_name) < 0, "%s", dest_name); ++ ++ return 0; ++} +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -1,9 +1,9 @@ + + man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 \ +- sbkeysync.1 ++ sbkeysync.1 kmodsign.1 + + EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \ +- sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in ++ sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in kmodsign.1.in + CLEANFILES = $(man1_MANS) + + $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/% +--- /dev/null ++++ b/docs/kmodsign.1.in +@@ -0,0 +1,2 @@ ++[name] ++kmodsign - Kernel module signing tool