lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150519163116.GE23057@wotan.suse.de>
Date:	Tue, 19 May 2015 18:31:16 +0200
From:	"Luis R. Rodriguez" <mcgrof@...e.com>
To:	David Howells <dhowells@...hat.com>
Cc:	"Luis R. Rodriguez" <mcgrof@...not-panic.com>,
	ming.lei@...onical.com, rusty@...tcorp.com.au,
	torvalds@...ux-foundation.org, seth.forshee@...onical.com,
	linux-kernel@...r.kernel.org, pebolle@...cali.nl,
	linux-wireless@...r.kernel.org, gregkh@...uxfoundation.org,
	jlee@...e.com, tiwai@...e.de, casey@...aufler-ca.com,
	keescook@...omium.org, mjg59@...f.ucam.org,
	akpm@...ux-foundation.org, Kyle McMartin <kyle@...nel.org>,
	David Woodhouse <David.Woodhouse@...el.com>
Subject: Re: [RFC v3 2/2] firmware: add firmware signature checking support

On Tue, May 19, 2015 at 11:02:44AM +0100, David Howells wrote:
> Luis R. Rodriguez <mcgrof@...not-panic.com> wrote:
> 
> > +The kernel firmware signing facility enables to cryptographically sign
> > +firmware files on a system using the same keys used for module signing.
> > +Firmware files's signatures consist of PKCS#7 messages of the respective
> > +firmware file. A firmware file named foo.bin, would have its respective
> > +signature on the filesystem as foo.bin.p7s. When firmware signature
> > +checking is enabled (FIRMWARE_SIG) and when one of the above APIs is used
> > +against foo.bin, the file foo.bin.p7s will also be looked for. If
> > +FIRMWARE_SIG_FORCE is enabled the foo.bin file will only be allowed to
> > +be returned to callers of the above APIs if and only if the foo.bin.p7s
> > +file is confirmed to be a valid signature of the foo.bin file. If
> > +FIRMWARE_SIG_FORCE is not enabled and only FIRMWARE_SIG is enabled the
> > +kernel will be permissive and enabled unsigned firmware files, or firmware
> > +files with incorrect signatures. If FIRMWARE_SIG is not enabled the
> > +signature file is ignored completely.
> 
> I'd rework this paragraph somewhat.  How about:
> 

<-- snip -->

Looks sexy, taken word for word, thanks!

 Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ