| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55B6988D.4060805@kernel.org> Date: Mon, 27 Jul 2015 13:46:05 -0700 From: Andy Lutomirski <luto@...nel.org> To: David Howells <dhowells@...hat.com>, jmorris@...ei.org Cc: dwmw2@...radead.org, mcgrof@...il.com, keyrings@...ux-nfs.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures On 07/27/2015 12:33 PM, David Howells wrote: > Hi James, > > Can you pull this into security/next please? Its aim is twofold: firstly, > make the module signatures of PKCS#7/CMS format rather than a home-brewed > format and secondly to pave the way for use of the signing code for > firmware signatures (to follow later). With all this stuff applied, will the kernel accept PKCS#7 signatures that *don't* have authenticated attributes or that are otherwise cryptographically insecure in that they fail to provide the property that an attacker can't manipulate a valid signature on one message to look like a valid signature on a different message? It looks like fixing that might actually be important if anyone ever wants to use this for firmware signing. At least there's no issue with newer kernels needing to accept module signautures generated by old tools, since the newer kernels won't accept the underlying modules anyway. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists