Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751470AbbESUNB (ORCPT <rfc822;w@1wt.eu>);
	Tue, 19 May 2015 16:13:01 -0400
Received: from mail-ig0-f171.google.com ([209.85.213.171]:32925 "EHLO
	mail-ig0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750862AbbESUM7 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 19 May 2015 16:12:59 -0400
MIME-Version: 1.0
In-Reply-To: <5419.1432061272@warthog.procyon.org.uk>
References: <20150519161902.GC23057@wotan.suse.de> <20150518231304.GZ23057@wotan.suse.de>
 <20150515123610.16723.61913.stgit@warthog.procyon.org.uk> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk>
 <21177.1431716875@warthog.procyon.org.uk> <8931.1432027524@warthog.procyon.org.uk>
 <3811.1432054137@warthog.procyon.org.uk> <20150519183508.GL23057@wotan.suse.de>
 <5419.1432061272@warthog.procyon.org.uk>
From: "Luis R. Rodriguez" <mcgrof@suse.com>
Date: Tue, 19 May 2015 13:12:38 -0700
X-Google-Sender-Auth: TChjABFlh4R-qNAD7ks-8crcJwc
Message-ID: <CAB=NE6UT57VDg9OBYPVOq-xtZDqw-9UM79_sSP7jGb2Ev2NUeA@mail.gmail.com>
Subject: Re: sign-file and detached PKCS#7 firmware signatures
To: David Howells <dhowells@redhat.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>, Michal Marek <mmarek@suse.cz>,
        Matthew Garrett <mjg59@srcf.ucam.org>, keyrings@linux-nfs.org,
        dmitry.kasatkin@gmail.com,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Seth Forshee <seth.forshee@canonical.com>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        David Woodhouse <dwmw2@infradead.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1427
Lines: 41

On Tue, May 19, 2015 at 11:47 AM, David Howells <dhowells@redhat.com> wrote:
> Luis R. Rodriguez <mcgrof@suse.com> wrote:
>
>> I'll also mention:
>>
>> ---
>> The $DIGEST_ALGORITHM needs to be supported on the running kernel and
>> can differ from CONFIG_MODULE_SIG_HASH.
>> ---
>>
>> As I do no think that is quite obvious to a system integrator at first.
>
> Actually, this isn't necessarily so for the firmware.

Sorry by "needs to be supported on the running kernel" I meant "=y" or "=m".

> It *is* for the module signing, but you can always load the module to give you
> the digest algorithm (or public key algorithm) for the firmware.

Sure.

> Though you would still have to be careful with firmware loaded during the
> initramfs phase.

Make sense, how about:

---
The $DIGEST_ALGORITHM needs to be enabled as built-in (=y) or modular
(=m) in the running kernel and can differ from CONFIG_MODULE_SIG_HASH.
If you are enabling the $DIGEST_ALGORITHM as a module take care to
ensure that this module will also be present on the initramfs used as
some modules within the initramfs may need it if using the
firmware_class APIs and firmware signing has been enabled.
---

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/