| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YwrhT0YLb87PtuEk@kernel.org>
Date: Sun, 28 Aug 2022 06:30:23 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: "Lee, Chun-Yi" <joeyli.kernel@...il.com>
Cc: David Howells <dhowells@...hat.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S . Miller" <davem@...emloft.net>,
Ben Boeckel <me@...boeckel.net>,
Randy Dunlap <rdunlap@...radead.org>,
Malte Gell <malte.gell@....de>,
Varad Gautam <varad.gautam@...e.com>,
Mimi Zohar <zohar@...ux.ibm.com>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
"Lee, Chun-Yi" <jlee@...e.com>
Subject: Re: [PATCH v9 0/4] Check codeSigning extended key usage extension
On Thu, Aug 25, 2022 at 10:23:10PM +0800, Lee, Chun-Yi wrote:
> NIAP PP_OS certification requests that OS need to validate the
> CodeSigning extended key usage extension field for integrity
> verifiction of exectable code:
>
> https://www.niap-ccevs.org/MMO/PP/-442-/
> FIA_X509_EXT.1.1
>
> This patchset adds the logic for parsing the codeSigning EKU extension
> field in X.509. And checking the CodeSigning EKU when verifying
> signature of kernel module or kexec PE binary in PKCS#7.
Might be cutting hairs here but you don't really explain
why we want to support it. It's not a counter argument
to add the feature. It's a counter argument against adding
undocumented features.
BR, Jarkko
Powered by blists - more mailing lists