| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201021101057.GA13854@linux-l9pv.suse>
Date: Wed, 21 Oct 2020 18:10:57 +0800
From: joeyli <jlee@...e.com>
To: list.lkml.keyrings@...benboeckel.net
Cc: "Lee, Chun-Yi" <joeyli.kernel@...il.com>,
David Howells <dhowells@...hat.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S . Miller" <davem@...emloft.net>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 2/2] PKCS#7: Check codeSigning EKU for kernel module
and kexec pe verification
Hi Ben,
On Tue, Oct 20, 2020 at 09:42:08AM -0400, Ben Boeckel wrote:
> On Tue, Oct 20, 2020 at 14:50:01 +0800, Lee, Chun-Yi wrote:
> > +config CHECK_CODESIGN_EKU
> > + bool "Check codeSigning extended key usage"
> > + depends on PKCS7_MESSAGE_PARSER=y
> > + depends on SYSTEM_DATA_VERIFICATION
> > + help
> > + This option provides support for checking the codeSigning extended
> > + key usage extension when verifying the signature in PKCS#7. It
> > + affects kernel module verification and kexec PE binary verification
> > + now.
>
> Is the "now" necessary? Isn't it implied by the option's existence?
Thanks for your review. I will remove the "now" in next version.
Joey Lee
Powered by blists - more mailing lists