From 9184027f0aaf6c95856bb57d04d0fa0b16fd9981 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Fri, 1 May 2020 17:37:53 +0200 Subject: docs: move digsig docs to the security book Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/6af5365404c7bd9d008e7e3a77ba83587fd33012.1588345503.git.mchehab+huawei@kernel.org Signed-off-by: Jonathan Corbet --- Documentation/digsig.txt | 101 ----------------------------------------------- 1 file changed, 101 deletions(-) delete mode 100644 Documentation/digsig.txt (limited to 'Documentation/digsig.txt') diff --git a/Documentation/digsig.txt b/Documentation/digsig.txt deleted file mode 100644 index f6a8902d3ef7..000000000000 --- a/Documentation/digsig.txt +++ /dev/null @@ -1,101 +0,0 @@ -================================== -Digital Signature Verification API -================================== - -:Author: Dmitry Kasatkin -:Date: 06.10.2011 - - -.. CONTENTS - - 1. Introduction - 2. API - 3. User-space utilities - - -Introduction -============ - -Digital signature verification API provides a method to verify digital signature. -Currently digital signatures are used by the IMA/EVM integrity protection subsystem. - -Digital signature verification is implemented using cut-down kernel port of -GnuPG multi-precision integers (MPI) library. The kernel port provides -memory allocation errors handling, has been refactored according to kernel -coding style, and checkpatch.pl reported errors and warnings have been fixed. - -Public key and signature consist of header and MPIs:: - - struct pubkey_hdr { - uint8_t version; /* key format version */ - time_t timestamp; /* key made, always 0 for now */ - uint8_t algo; - uint8_t nmpi; - char mpi[0]; - } __packed; - - struct signature_hdr { - uint8_t version; /* signature format version */ - time_t timestamp; /* signature made */ - uint8_t algo; - uint8_t hash; - uint8_t keyid[8]; - uint8_t nmpi; - char mpi[0]; - } __packed; - -keyid equals to SHA1[12-19] over the total key content. -Signature header is used as an input to generate a signature. -Such approach insures that key or signature header could not be changed. -It protects timestamp from been changed and can be used for rollback -protection. - -API -=== - -API currently includes only 1 function:: - - digsig_verify() - digital signature verification with public key - - - /** - * digsig_verify() - digital signature verification with public key - * @keyring: keyring to search key in - * @sig: digital signature - * @sigen: length of the signature - * @data: data - * @datalen: length of the data - * @return: 0 on success, -EINVAL otherwise - * - * Verifies data integrity against digital signature. - * Currently only RSA is supported. - * Normally hash of the content is used as a data for this function. - * - */ - int digsig_verify(struct key *keyring, const char *sig, int siglen, - const char *data, int datalen); - -User-space utilities -==================== - -The signing and key management utilities evm-utils provide functionality -to generate signatures, to load keys into the kernel keyring. -Keys can be in PEM or converted to the kernel format. -When the key is added to the kernel keyring, the keyid defines the name -of the key: 5D2B05FC633EE3E8 in the example bellow. - -Here is example output of the keyctl utility:: - - $ keyctl show - Session Keyring - -3 --alswrv 0 0 keyring: _ses - 603976250 --alswrv 0 -1 \_ keyring: _uid.0 - 817777377 --alswrv 0 0 \_ user: kmk - 891974900 --alswrv 0 0 \_ encrypted: evm-key - 170323636 --alswrv 0 0 \_ keyring: _module - 548221616 --alswrv 0 0 \_ keyring: _ima - 128198054 --alswrv 0 0 \_ keyring: _evm - - $ keyctl list 128198054 - 1 key in keyring: - 620789745: --alswrv 0 0 user: 5D2B05FC633EE3E8 -- cgit v1.2.1