| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <14325.1430914129@warthog.procyon.org.uk>
Date: Wed, 06 May 2015 13:08:49 +0100
From: David Howells <dhowells@...hat.com>
To: "Luis R. Rodriguez" <mcgrof@...not-panic.com>
Cc: dhowells@...hat.com, rusty@...tcorp.com.au, ming.lei@...onical.com,
seth.forshee@...onical.com, kyle@...nel.org,
akpm@...ux-foundation.org, gregkh@...uxfoundation.org,
keescook@...omium.org, casey@...aufler-ca.com, tiwai@...e.de,
mjg59@...f.ucam.org, wireless-regdb@...ts.infradead.org,
linux-wireless@...r.kernel.org, jlee@...e.com,
linux-kernel@...r.kernel.org, "Luis R. Rodriguez" <mcgrof@...e.com>
Subject: Re: [PATCH v1 02/12] kernel: generalize module signing as system data signing
Luis R. Rodriguez <mcgrof@...not-panic.com> wrote:
> This generalizes the module signing code as helpers, we do
> this as we'll later re-use this same code for firmware and
> other system data signing.
I'm trying to move us to the use of PKCS#7 certificates as module signatures.
See here:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7
I would suggest you use this as a base.
Also, I would suggest, if you can manage it, either:
(1) Keep the signature and the firmware blobs separate on disk for copyright
and/or licensing purposes.
(2) Put the firmware blob inside the PKCS#7 message as the embedded data.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists