[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1431947593.29806.19.camel@infradead.org>
Date: Mon, 18 May 2015 12:13:13 +0100
From: David Woodhouse <dwmw2@...radead.org>
To: David Howells <dhowells@...hat.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Abelardo Ricart III <aricart@...nix.com>,
Michal Marek <mmarek@...e.cz>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Sedat Dilek <sedat.dilek@...il.com>, keyrings@...ux-nfs.org,
Rusty Russell <rusty@...tcorp.com.au>,
LSM List <linux-security-module@...r.kernel.org>,
James Morris <james.l.morris@...cle.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH] MODSIGN: Change default key details [ver #2]
On Mon, 2015-05-18 at 11:47 +0100, David Howells wrote:
> David Woodhouse <dwmw2@...radead.org> wrote:
>
> > Why not just take multiple certs in PEM form in a single file, rather
> > than automatically including *.x509 in DER form? Wouldn't that be a
> > whole lot easier?
>
> No, for the following reasons:
>
> (1) Unless we want the kernel to be able to handle PEM form, they have to be
> converted to DER form for inclusion in system_certificates.S.
It's just base64. It's fairly trivial to convert.
> (2) We would have to combine the automatically generated signing cert with
> the added certs, though, admittedly, this could be done in
> system_certificates.S.
Yes, merging the signing cert (be it automatically generated or
otherwise) does need to be done. But that's easy enough. And I already
have work to do on processing the signing cert, to allow it to come
from the same PKCS#11 URI that specifies the key.
> (3) We've already told people they must drop DER certs into the source tree
> and distribution kernel packages are already doing this, so we have to
> make sure they get this right.
Yes, absolutely. But I think we can cope with that.
> You could make it so that the make process picks up .pem files and converts
> them to DER-encoded .x509 files.
I don't actually care whether it's PEM or DER form per se. What I
really care about is the horrid trick of automatically finding the
files to be included with a wildcard, and pulling them into the build.
That would be icky enough if we *weren't* going to *trust* the things!
With a PEM file it's common to have multiple certs in a single file,
and you could have a simple config option for the 'additional certs'
file which explicitly pulls it in. Rather than the current hack.
Doing that with multiple certs in the same file in DER form, if that
works, would also be tolerable. Although it's less normal to have a
file in that format.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@...el.com Intel Corporation
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5691 bytes)
Powered by blists - more mailing lists