Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752378AbbESCP4 (ORCPT <rfc822;w@1wt.eu>);
	Mon, 18 May 2015 22:15:56 -0400
Received: from e23smtp04.au.ibm.com ([202.81.31.146]:47079 "EHLO
	e23smtp04.au.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751198AbbESCPw (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 18 May 2015 22:15:52 -0400
Message-ID: <1432001692.4510.26.camel@linux.vnet.ibm.com>
Subject: Re: [PATCH] MODSIGN: Change default key details [ver #2]
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: David Howells <dhowells@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Abelardo Ricart III <aricart@memnix.com>,
        Michal Marek <mmarek@suse.cz>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Sedat Dilek <sedat.dilek@gmail.com>, keyrings@linux-nfs.org,
        Rusty Russell <rusty@rustcorp.com.au>,
        LSM List <linux-security-module@vger.kernel.org>,
        James Morris <james.l.morris@oracle.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 18 May 2015 22:14:52 -0400
In-Reply-To: <1431947593.29806.19.camel@infradead.org>
References: <1431790781.9552.0.camel@infradead.org>
	 <CA+55aFyr4EufCSpS3egCN3hcWwvgp60uwn6cxxC7=jZTGBPYzA@mail.gmail.com>
	 <1430516505-4812-1-git-send-email-aricart@memnix.com>
	 <CA+55aFyJ4Bx8TUmpOyFMHmm5gnZ3AegBW9EyhrcVpOsoMP9UxQ@mail.gmail.com>
	 <1430559977.5803.12.camel@memnix.com>
	 <CA+55aFyTHjPdSgQv2iZuW7VG1bCTGMGwqcNwa1sjm9V6RkXFNw@mail.gmail.com>
	 <CA+55aFw1Oj-+nyjQevCHLDq8j3xQ7zixgUEd-bTp+z49y60fUw@mail.gmail.com>
	 <8019.1431946070@warthog.procyon.org.uk>
	 <1431947593.29806.19.camel@infradead.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.10 (3.12.10-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 15051902-0013-0000-0000-00000146F011
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1312
Lines: 33

On Mon, 2015-05-18 at 12:13 +0100, David Woodhouse wrote:
> On Mon, 2015-05-18 at 11:47 +0100, David Howells wrote:
> > David Woodhouse <dwmw2@infradead.org> wrote:

> > You could make it so that the make process picks up .pem files and converts
> > them to DER-encoded .x509 files. 
> 
> I don't actually care whether it's PEM or DER form per se. What I
> really care about is the horrid trick of automatically finding the
> files to be included with a wildcard, and pulling them into the build.
> 
> That would be icky enough if we *weren't* going to *trust* the things! 

Agreed!  There's no reason for having them in the root of the build
tree.

> With a PEM file it's common to have multiple certs in a single file,
> and you could have a simple config option for the 'additional certs'
> file which explicitly pulls it in. Rather than the current hack.

> Doing that with multiple certs in the same file in DER form, if that
> works, would also be tolerable. Although it's less normal to have a
> file in that format.

Either method would be preferable.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/