lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <435F53C6-DC08-49CA-AA36-9747FC1B50DF@oracle.com>
Date: Thu, 5 Jun 2025 13:35:06 +0000
From: Eric Snowberg <eric.snowberg@...cle.com>
To: Vitaly Kuznetsov <vkuznets@...hat.com>
CC: James Bottomley <James.Bottomley@...senPartnership.com>,
        "linux-security-module@...r.kernel.org"
	<linux-security-module@...r.kernel.org>,
        "linux-integrity@...r.kernel.org"
	<linux-integrity@...r.kernel.org>,
        "linux-modules@...r.kernel.org"
	<linux-modules@...r.kernel.org>,
        "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>,
        "linux-doc@...r.kernel.org"
	<linux-doc@...r.kernel.org>,
        "keyrings@...r.kernel.org"
	<keyrings@...r.kernel.org>,
        David Howells <dhowells@...hat.com>,
        David
 Woodhouse <dwmw2@...radead.org>,
        Jonathan Corbet <corbet@....net>,
        Luis
 Chamberlain <mcgrof@...nel.org>,
        Petr Pavlu <petr.pavlu@...e.com>,
        Sami
 Tolvanen <samitolvanen@...gle.com>,
        Daniel Gomez <da.gomez@...sung.com>, Mimi
 Zohar <zohar@...ux.ibm.com>,
        Roberto Sassu <roberto.sassu@...wei.com>,
        Dmitry
 Kasatkin <dmitry.kasatkin@...il.com>,
        Paul Moore <paul@...l-moore.com>, James
 Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>, Peter Jones
	<pjones@...hat.com>,
        Robert Holmes <robeholmes@...il.com>,
        Jeremy Cline
	<jcline@...hat.com>, Coiby Xu <coxu@...hat.com>,
        Gerd Hoffmann
	<kraxel@...hat.com>
Subject: Re: [PATCH RFC 0/1] module: Optionally use .platform keyring for
 signatures verification



> On Jun 5, 2025, at 1:54 AM, Vitaly Kuznetsov <vkuznets@...hat.com> wrote:
> 
> 'certwrapper' offers _a_ solution which is great. It may, however, not
> be very convenient to use when a user wants to re-use the same OS image
> (e.g. provided by the distro vendor) for various different use-cases as
> proper 'certwrapper' binary needs to be placed on the ESP (and thus
> we'll end up with a bunch of images instead of one). 'db' is different
> because it normally lives outside of the OS disk so it is possible to
> register the exact same OS image with different properties (e.g. with
> and without a custom cert which allows to load third party modules).

Could you please provide more details? The kernel module is signed with 
a specific key. The ‘db’  key in the cloud image must match whatever key 
was used to sign the kernel module.

Why can’t the RPM package that contains the kernel module also include 
the required ‘certwrapper’? When the RPM is installed, the appropriate 
‘certwrapper’ is placed on the ESP.  There can be any number of 'certwrappers' 
in the ESP. Doesn’t this solution address the issue?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ