| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+55aFwX5AmMgEAZ8uSdH=8g00xVD3NfnvgBbgSytMGdcifKMg@mail.gmail.com>
Date: Thu, 21 Feb 2013 10:56:44 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Peter Jones <pjones@...hat.com>
Cc: David Howells <dhowells@...hat.com>,
Matthew Garrett <mjg59@...f.ucam.org>,
Josh Boyer <jwboyer@...hat.com>,
Vivek Goyal <vgoyal@...hat.com>,
Kees Cook <keescook@...omium.org>, keyrings@...ux-nfs.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] Load keys from signed PE binaries
On Thu, Feb 21, 2013 at 10:34 AM, Peter Jones <pjones@...hat.com> wrote:
> On Thu, Feb 21, 2013 at 10:25:47AM -0800, Linus Torvalds wrote:
>> - why do you bother with the MS keysigning of Linux kernel modules to
>> begin with?
>
> This is not actually what the patchset implements. All it's done here
> is using PE files as envelopes for keys. The usage this enables is to
> allow for whoever makes a module (binary only or merely out of tree for
> whatever reason) to sign it and vouch for it themselves. That could
> include, for example, a systemtap module.
Umm. And which part of "We already support that, using standard X.509
certificates" did we suddenly miss?
So no. The PE file thing makes no sense what-so-ever. What you mention
we can already do, and we already do it *better*.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists