[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5419.1432061272@warthog.procyon.org.uk>
Date: Tue, 19 May 2015 19:47:52 +0100
From: David Howells <dhowells@...hat.com>
To: "Luis R. Rodriguez" <mcgrof@...e.com>
Cc: dhowells@...hat.com, rusty@...tcorp.com.au, mmarek@...e.cz,
mjg59@...f.ucam.org, keyrings@...ux-nfs.org,
dmitry.kasatkin@...il.com, linux-kernel@...r.kernel.org,
seth.forshee@...onical.com, linux-security-module@...r.kernel.org,
dwmw2@...radead.org
Subject: Re: sign-file and detached PKCS#7 firmware signatures
Luis R. Rodriguez <mcgrof@...e.com> wrote:
> I'll also mention:
>
> ---
> The $DIGEST_ALGORITHM needs to be supported on the running kernel and
> can differ from CONFIG_MODULE_SIG_HASH.
> ---
>
> As I do no think that is quite obvious to a system integrator at first.
Actually, this isn't necessarily so for the firmware.
It *is* for the module signing, but you can always load the module to give you
the digest algorithm (or public key algorithm) for the firmware.
Though you would still have to be careful with firmware loaded during the
initramfs phase.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists