Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754010AbbESSsi (ORCPT <rfc822;w@1wt.eu>);
	Tue, 19 May 2015 14:48:38 -0400
Received: from mx1.redhat.com ([209.132.183.28]:54787 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751503AbbESSsg convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 19 May 2015 14:48:36 -0400
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
	Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
	Kingdom.
	Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <20150519183508.GL23057@wotan.suse.de>
References: <20150519183508.GL23057@wotan.suse.de> <20150519161902.GC23057@wotan.suse.de> <20150518231304.GZ23057@wotan.suse.de> <20150515123610.16723.61913.stgit@warthog.procyon.org.uk> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <21177.1431716875@warthog.procyon.org.uk> <8931.1432027524@warthog.procyon.org.uk> <3811.1432054137@warthog.procyon.org.uk>
To: "Luis R. Rodriguez" <mcgrof@suse.com>
Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz,
        mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com,
        linux-kernel@vger.kernel.org, seth.forshee@canonical.com,
        linux-security-module@vger.kernel.org, dwmw2@infradead.org
Subject: Re: sign-file and detached PKCS#7 firmware signatures
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5418.1432061272.1@warthog.procyon.org.uk>
Content-Transfer-Encoding: 8BIT
Date: Tue, 19 May 2015 19:47:52 +0100
Message-ID: <5419.1432061272@warthog.procyon.org.uk>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 826
Lines: 25

Luis R. Rodriguez <mcgrof@suse.com> wrote:

> I'll also mention:
> 
> ---
> The $DIGEST_ALGORITHM needs to be supported on the running kernel and           
> can differ from CONFIG_MODULE_SIG_HASH.
> ---
> 
> As I do no think that is quite obvious to a system integrator at first.

Actually, this isn't necessarily so for the firmware.

It *is* for the module signing, but you can always load the module to give you
the digest algorithm (or public key algorithm) for the firmware.

Though you would still have to be careful with firmware loaded during the
initramfs phase.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/