pesign fails to sign kernel modules using a self-signed certificate#130
Draft
gordonmessmer wants to merge 4 commits into
Draft
pesign fails to sign kernel modules using a self-signed certificate#130gordonmessmer wants to merge 4 commits into
gordonmessmer wants to merge 4 commits into
Conversation
Assisted-by: Claude
Replace SEC_PKCS7CreateSignedData() with generate_spc_signed_data() to avoid strict certificate chain validation that fails for self-signed certificates even when trust flags are properly set. SEC_PKCS7CreateSignedData() performs internal chain validation that cannot be bypassed with trust flags alone, causing SEC_ERROR_UNKNOWN_ISSUER errors when signing kernel modules with self-signed certificates. The PE signing code already uses generate_spc_signed_data() which manually constructs PKCS7 signatures without strict chain validation. Using the same approach for kernel module signing allows self-signed module and kernel certificates to work correctly. Assisted-by: Claude
Assisted-by: Claude
efikeygen in 116 fails with the error: cms_common.c:find_certificate_by_callback:884: Could not find certificate:SEC_ERROR_EXTENSION_NOT_FOUND:Certificate extension not found. efikeygen.c:add_trust:100: Could not find certificate This change exits on such a failure so that the functional tests can detect the error and prevent similar bugs, in the future.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When signing kernel modules, using a self-signed certificate, pesign will fail with an error:
This PR attempts to resolve that error.
It also adds a set of functional tests to ensure These tests cannot be merged as-is because they expect a kernel image and a kernel module in tests/data.I hate committing binary blobs to git repos, so I'd like your opinion on whether the tests are useful and how you'd like to handle test data.
It's probably also not sufficient to accept the exit code of pesign, alone, as a test result. Would you like to see any specific tests on the signed objects?