Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753689AbbETNhC (ORCPT ); Wed, 20 May 2015 09:37:02 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49102 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753349AbbETNg6 (ORCPT ); Wed, 20 May 2015 09:36:58 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <555BD715.40202@kernel.org> References: <555BD715.40202@kernel.org> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> To: Andy Lutomirski Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, mcgrof@suse.com, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, dwmw2@infradead.org Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <31771.1432128969.1@warthog.procyon.org.uk> Date: Wed, 20 May 2015 14:36:09 +0100 Message-ID: <31772.1432128969@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1426 Lines: 31 Andy Lutomirski wrote: > I think this is way more complicated than it has to be. Can't we look up > certificates by their subjectPublicKeyInfo? I want to be able to handle an X.509 chain to a root key that we have in the kernel. X.509 certs don't chain on subjectPublicKeyInfo unless that happens to be what's in the SKID (which is a pretty indefinite standard in its own right:-( ). So we need to be able to match on the two things I made available anyway. PKCS#7 matches on one of them too, so that then just works. > Why is PKCS#7 better than whatever we're using now? It has a standard form[*]. It has standard ways to specify things such as the key to use and the digest to use. It can carry multiple signatures from different keys and can carry key chains (something that's more likely to be useful for kexec or firmware, admittedly). It can be generated by extant tools (though adding it onto a module needs a special tool). [*] We can agree it's a somewhat, um, ropy standard, but it's still a standard. What we're using now isn't very extensible without changing the magic string or putting in an override in one of the fields. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/