| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Oct 2020 14:49:59 +0800
From: "Lee, Chun-Yi" <joeyli.kernel@...il.com>
To: David Howells <dhowells@...hat.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>,
"David S . Miller" <davem@...emloft.net>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
"Lee, Chun-Yi" <jlee@...e.com>
Subject: [RFC PATCH 0/2] Check codeSigning extended key usage extension
NIAP PP_OS certification requests that the OS shall validate the
CodeSigning extended key usage extension field for integrity
verifiction of exectable code:
https://www.niap-ccevs.org/MMO/PP/-442-/
FIA_X509_EXT.1.1
This patchset adds the logic for parsing the codeSigning EKU extension
field in X.509. And checking the CodeSigning EKU when verifying signature
of kernel module or kexec PE binary in PKCS#7.
Lee, Chun-Yi (2):
X.509: Add CodeSigning extended key usage parsing
PKCS#7: Check codeSigning EKU for kernel module and kexec pe
verification
certs/system_keyring.c | 2 +-
crypto/asymmetric_keys/Kconfig | 10 +++++++++
crypto/asymmetric_keys/pkcs7_trust.c | 37 ++++++++++++++++++++++++++++---
crypto/asymmetric_keys/x509_cert_parser.c | 24 ++++++++++++++++++++
include/crypto/pkcs7.h | 3 ++-
include/crypto/public_key.h | 1 +
include/linux/oid_registry.h | 5 +++++
7 files changed, 77 insertions(+), 5 deletions(-)
--
2.16.4
Powered by blists - more mailing lists