Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753624AbbERKsJ (ORCPT <rfc822;w@1wt.eu>);
	Mon, 18 May 2015 06:48:09 -0400
Received: from mx1.redhat.com ([209.132.183.28]:41633 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752912AbbERKr5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 18 May 2015 06:47:57 -0400
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
	Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
	Kingdom.
	Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <1431790781.9552.0.camel@infradead.org>
References: <1431790781.9552.0.camel@infradead.org> <CA+55aFyr4EufCSpS3egCN3hcWwvgp60uwn6cxxC7=jZTGBPYzA@mail.gmail.com> <1430516505-4812-1-git-send-email-aricart@memnix.com> <CA+55aFyJ4Bx8TUmpOyFMHmm5gnZ3AegBW9EyhrcVpOsoMP9UxQ@mail.gmail.com> <1430559977.5803.12.camel@memnix.com> <CA+55aFyTHjPdSgQv2iZuW7VG1bCTGMGwqcNwa1sjm9V6RkXFNw@mail.gmail.com> <CA+55aFw1Oj-+nyjQevCHLDq8j3xQ7zixgUEd-bTp+z49y60fUw@mail.gmail.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: dhowells@redhat.com, Linus Torvalds <torvalds@linux-foundation.org>,
        Abelardo Ricart III <aricart@memnix.com>,
        Michal Marek <mmarek@suse.cz>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Sedat Dilek <sedat.dilek@gmail.com>, keyrings@linux-nfs.org,
        Rusty Russell <rusty@rustcorp.com.au>,
        LSM List <linux-security-module@vger.kernel.org>,
        James Morris <james.l.morris@oracle.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] MODSIGN: Change default key details [ver #2]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <8018.1431946070.1@warthog.procyon.org.uk>
Date: Mon, 18 May 2015 11:47:50 +0100
Message-ID: <8019.1431946070@warthog.procyon.org.uk>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1438
Lines: 35

David Woodhouse <dwmw2@infradead.org> wrote:

> Why not just take multiple certs in PEM form in a single file, rather
> than automatically including *.x509 in DER form? Wouldn't that be a
> whole lot easier? 

No, for the following reasons:

 (1) Unless we want the kernel to be able to handle PEM form, they have to be
     converted to DER form for inclusion in system_certificates.S.

 (2) We would have to combine the automatically generated signing cert with
     the added certs, though, admittedly, this could be done in
     system_certificates.S.

 (3) We've already told people they must drop DER certs into the source tree
     and distribution kernel packages are already doing this, so we have to
     make sure they get this right.

You could make it so that the make process picks up .pem files and converts
them to DER-encoded .x509 files.  You can cat a bunch of DER certs together
and the kernel will break them apart when it parses the single buffer that
contains all the certs.

We could even make the kernel handle PEM.  It shouldn't be very much overhead
since it's just a wrapping/encoding of the DER, right?

So it's by no means impossible, but it's not easier.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/