lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 18 May 2015 11:47:50 +0100
From:	David Howells <dhowells@...hat.com>
To:	David Woodhouse <dwmw2@...radead.org>
Cc:	dhowells@...hat.com,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Abelardo Ricart III <aricart@...nix.com>,
	Michal Marek <mmarek@...e.cz>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Sedat Dilek <sedat.dilek@...il.com>, keyrings@...ux-nfs.org,
	Rusty Russell <rusty@...tcorp.com.au>,
	LSM List <linux-security-module@...r.kernel.org>,
	James Morris <james.l.morris@...cle.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH] MODSIGN: Change default key details [ver #2]

David Woodhouse <dwmw2@...radead.org> wrote:

> Why not just take multiple certs in PEM form in a single file, rather
> than automatically including *.x509 in DER form? Wouldn't that be a
> whole lot easier? 

No, for the following reasons:

 (1) Unless we want the kernel to be able to handle PEM form, they have to be
     converted to DER form for inclusion in system_certificates.S.

 (2) We would have to combine the automatically generated signing cert with
     the added certs, though, admittedly, this could be done in
     system_certificates.S.

 (3) We've already told people they must drop DER certs into the source tree
     and distribution kernel packages are already doing this, so we have to
     make sure they get this right.

You could make it so that the make process picks up .pem files and converts
them to DER-encoded .x509 files.  You can cat a bunch of DER certs together
and the kernel will break them apart when it parses the single buffer that
contains all the certs.

We could even make the kernel handle PEM.  It shouldn't be very much overhead
since it's just a wrapping/encoding of the DER, right?

So it's by no means impossible, but it's not easier.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ