| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 May 2015 22:49:49 +0300 From: Petko Manolov <petkan@...-labs.com> To: David Howells <dhowells@...hat.com>, Michal Marek <mmarek@...e.cz> CC: torvalds@...ux-foundation.org, aricart@...nix.com, linux-kernel@...r.kernel.org, sedat.dilek@...il.com, keyrings@...ux-nfs.org, rusty@...tcorp.com.au, linux-security-module@...r.kernel.org, james.l.morris@...cle.com, dwmw2@...radead.org Subject: Re: [PATCH 1/3] X.509: Fix certificate gathering again On May 26, 2015 7:15:38 PM GMT+03:00, David Howells <dhowells@...hat.com> wrote: >Hi Michal, > >Could you have a look at the patch at the end of my branch: > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 > >It changes things from picking up arbitrary *.x509 files dropped in the >kernel >source and/or build directory to taking a single named PEM file with >all the >additional certs as a string config option. The PEM file can contain >multiple >certs simply cat'd together. > >If you're okay with that, it obsoletes these patches of yours. > >I've attached it here for convenience also. > >David >--- >commit 9c71c950793b1b8c23c6d945b31f6545f82adced >Author: David Woodhouse <David.Woodhouse@...el.com> >Date: Thu May 21 12:23:55 2015 +0100 > > modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option > >Let the user explicitly provide a file containing trusted keys, instead >of > just automatically finding files matching *.x509 in the build tree and > trusting whatever we find. This really ought to be an *explicit* > configuration, and the build rules for dealing with the files were > fairly painful too. > > Signed-off-by: David Woodhouse <David.Woodhouse@...el.com> > Signed-off-by: David Howells <dhowells@...hat.com> > >diff --git a/Documentation/module-signing.txt >b/Documentation/module-signing.txt >index 5d5e4e32dc26..4e62bc29666e 100644 >--- a/Documentation/module-signing.txt >+++ b/Documentation/module-signing.txt >@@ -88,6 +88,7 @@ This has a number of options available: >than being a module) so that modules signed with that algorithm can >have > their signatures checked without causing a dependency loop. > >+ >(4) "File name or PKCS#11 URI of module signing key" >(CONFIG_MODULE_SIG_KEY) > > Setting this option to something other than its default of >@@ -104,6 +105,13 @@ This has a number of options available: > means of the KBUILD_SIGN_PIN variable. > > >+ (5) "Additional X.509 keys for default system keyring" >(CONFIG_SYSTEM_TRUSTED_KEYS) >+ >+ This option can be set to the filename of a PEM-encoded file >containing >+ additional certificates which will be included in the system >keyring by >+ default. >+ >+ > ======================= > GENERATING SIGNING KEYS > ======================= >@@ -171,10 +179,9 @@ in a keyring called ".system_keyring" that can be >seen by: > 302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora >kernel signing key: d69a84e6bce3d216b979e9505b3e3ef9a7118079: X509.RSA >a7118079 [] > ... > >-Beyond the public key generated specifically for module signing, any >file >-placed in the kernel source root directory or the kernel build root >directory >-whose name is suffixed with ".x509" will be assumed to be an X.509 >public key >-and will be added to the keyring. >+Beyond the public key generated specifically for module signing, I think this should be "private", not "public" key. The modules are signed with the private key... Petko -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists