| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 03 May 2018 17:42:00 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: James Morris <jmorris@...ei.org>,
Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>
Cc: David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
Keyrings <keyrings@...r.kernel.org>,
Linux Integrity <linux-integrity@...r.kernel.org>,
Linux Security <linux-security-module@...r.kernel.org>,
Linux Kernel <linux-kernel@...r.kernel.org>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>,
George Wilson <gcwilson@...ibm.com>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Patrick Callaghan <patrickc@...ibm.com>
Subject: Re: [PATCH v6 0/4] Certificate insertion support for x86 bzImages
On Fri, 2018-05-04 at 03:11 +1000, James Morris wrote:
> On Wed, 2 May 2018, Mehmet Kayaalp wrote:
>
> > These patches add support for modifying the reserved space for extra
> > certificates in a compressed bzImage in x86. This allows separating the
> > system keyring certificate from the kernel build process. After the kernel
> > image is distributed, the insert-sys-cert script can be used to insert the
> > certificate for x86.
>
> Can you provide more explanation of how this is useful and who would use
> it?
I'm involved in a number projects that rely on a kernel build group to
actually build kernels for their systems. Reserving memory for
additional public keys, allows product groups to insert public keys
post build. Initially the product groups might insert development
keys, but eventually they would insert the product's public key.
Mimi
Powered by blists - more mailing lists