Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp4026471pxu;
        Tue, 20 Oct 2020 06:43:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx7FJO6nnY0ylvcJIonaBbhmpJh0snzUjzCz/iNx83YFvRxugRTDzZTNw/42Q9wLb81vxMR
X-Received: by 2002:a17:906:33c8:: with SMTP id w8mr3135899eja.233.1603201436901;
        Tue, 20 Oct 2020 06:43:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603201436; cv=none;
        d=google.com; s=arc-20160816;
        b=uM5ry6TXXdT2z1iFBSMs6FzrwIYtMmytPamTAzBhgpe8M2Mi6/7IwNcbeS7GQhRwIE
         cSooA3FW9Yl1cKZlYKC8+zWtNCeorUNCIIla95wimti35jIyUVeIoOqaGG6XtgrAAV9R
         477F+ygIyZjR1AnSrVRpI/j34j+ylm2vyoM5JZXJloyNl9dfy8UZjD/Z+CNdIFkbT2Ti
         kxLMM4UgPjMKY5pBknvSF97OmceOMpZ54y+5gbHIPe1o/2PxtsAZ0UV2u5Fxvc6GMGBs
         jE7a4grhFXgSmfCFSkKb8DRD/xSl/c58YsYGWHVvJNqUGe2rEXNzlZoVZK0D9VQHNRX3
         Akaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:reply-to:message-id:subject:cc:to:from:date
         :dkim-signature:dkim-signature;
        bh=ZMa3Hsq3K6k+WSuLm783S+v1/oervsBHxqi7iGWY/I4=;
        b=Zr8Z0MDauLScY44zxzemOpfBOnD1re7/yqxdwMFcstW/HnwM6v5AGmTVkbCgRkdKIl
         73n/1Os12vB4LYzmMfEp9O17SlqGrrGSSnBolpigJ0VGRt1xLg177Cywa57aNQjG2+lp
         c61j0Nwi/4BH/r01CbrAx9Wk1bfEacPEPKIz3QvvJ1igrZIgEwACPVWlsGuv9wFN3anq
         WXso0C749I/1tCF9201vHf14+8rfoDDYw32V3DLwCgEbZJU3/aRC9VIUXY4o9T5bEe4B
         isbsTEbYuDT8T4as70RdTNmI3v+exULhBRDsqAz/Tmc3tnkGR6maEASLIoOIhBhI01II
         ozQg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@benboeckel.net header.s=fm3 header.b="Uv/im2nZ";
       dkim=pass header.i=@messagingengine.com header.s=fm1 header.b="DdH/db0e";
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id da5si1495554edb.261.2020.10.20.06.43.23;
        Tue, 20 Oct 2020 06:43:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@benboeckel.net header.s=fm3 header.b="Uv/im2nZ";
       dkim=pass header.i=@messagingengine.com header.s=fm1 header.b="DdH/db0e";
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2407607AbgJTNmM (ORCPT <rfc822;christopherhkane@gmail.com>
        + 99 others); Tue, 20 Oct 2020 09:42:12 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:34851 "EHLO
        out3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S2407531AbgJTNmL (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Tue, 20 Oct 2020 09:42:11 -0400
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
        by mailout.nyi.internal (Postfix) with ESMTP id 578845C013A;
        Tue, 20 Oct 2020 09:42:10 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute1.internal (MEProxy); Tue, 20 Oct 2020 09:42:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benboeckel.net;
         h=date:from:to:cc:subject:message-id:reply-to:references
        :mime-version:content-type:in-reply-to; s=fm3; bh=ZMa3Hsq3K6k+WS
        uLm783S+v1/oervsBHxqi7iGWY/I4=; b=Uv/im2nZoer0hdGfr5/1zto0w7WIeF
        0yZmxErjYDCKJevCcTc7WbpCpOMzz2BuqkVCoDlotinUlkni5oMlIyCcWWkNWLcs
        liOKshgrPNrXFF0VZ3NTBHcJDBGtVxIOeKDFp3KMBZsFOb4i5Nj83Cqw7+fimAmm
        vXxSmMWTyy+d2eWGxoXhK0pcpaHtsbGMK9kodpVOhC2QMZ5YJpH8I8LNmw3J3e6N
        GVimvV2htCCqFOlMNIrT8B0PSBcH9WZZFZWMEYJK1jmjpBD/KraM6eNQERza0YV/
        f0Lti5JcXMRyG+eZmvyBtZJYOWuU9fXKQA3Q7qnJNJEqwsl7WNaNNxIQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:content-type:date:from:in-reply-to
        :message-id:mime-version:references:reply-to:subject:to
        :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
        fm1; bh=ZMa3Hsq3K6k+WSuLm783S+v1/oervsBHxqi7iGWY/I4=; b=DdH/db0e
        ebewXcjVeVdw5hVlDo77I9TI1AY3bvbST2t0qrfOM+nd9PdyMWNLXBJ6p4G8DfaQ
        WuFLLXAvLD1uFNmdPAfRLgF+I+R+vGpea0THoD/H4E5BsXHxOId9ix3x5T/DJheJ
        2fxBtTZdvt+YHcf6OrKCxvv/TmdW5qOLhrzFO5CwJRap1faX8ANKtb1LixuNbceC
        RBseVze5FxCtMHKl285sTq46BhSioNK11jC3DCh6uwlkSbTfTmknwyph5DwulLAU
        eD7YandfKstBR+53JoYDot4mlcV3mb+XLN2LwLeDSPL4nhWx+Az8UqZ0+UbrNnFg
        LcDzOrzS+cZ3Gg==
X-ME-Sender: <xms:MemOXx91CV1zACq219WOPG7C9hXBzrgk1ooCYZ4oTlGxwrHUshvQ3Q>
    <xme:MemOX1vUyj5AM2he_kA6MO2nBvlEDbwi4bqSZClrSDcfwfAID35DYa94bTvUMY5XK
    ZMHi9fmT-pljX584AU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrjeefgdeiiecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc
    fjughrpeffhffvuffkrhhfgggtuggjfgesthdtredttderjeenucfhrhhomhepuegvnhcu
    uehovggtkhgvlhcuoehmvgessggvnhgsohgvtghkvghlrdhnvghtqeenucggtffrrghtth
    gvrhhnpeejtddvffehtefgkedtheevgfeileegfeehjedvhedtudeiteegtdeftdelvedv
    ffenucfkphepvdegrdduieelrddvtddrvdehheenucevlhhushhtvghrufhiiigvpedtne
    curfgrrhgrmhepmhgrihhlfhhrohhmpehmvgessggvnhgsohgvtghkvghlrdhnvght
X-ME-Proxy: <xmx:MemOX_CEapx_CgKEyP8UMfda87_RgGDsLPhyCHvh-siyrsxjprEQKA>
    <xmx:MemOX1em7T5_lI2PnXoeeNW58u5aziQQg0eqYj7O8B9LxGDoWzFSZw>
    <xmx:MemOX2PBGVWfFF0nwdTwUAhbcJCAPYFAe_GUqil_YzcXtWy4jeIfTw>
    <xmx:MumOX933Qoe5fpH4IFCmYtqROWjVDCN2FuK4bfNX9XwPeDaxvPREpw>
Received: from localhost (unknown [24.169.20.255])
        by mail.messagingengine.com (Postfix) with ESMTPA id 495C53064680;
        Tue, 20 Oct 2020 09:42:09 -0400 (EDT)
Date:   Tue, 20 Oct 2020 09:42:08 -0400
From:   Ben Boeckel <me@benboeckel.net>
To:     "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Cc:     David Howells <dhowells@redhat.com>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: Re: [RFC PATCH 2/2] PKCS#7: Check codeSigning EKU for kernel module
 and kexec pe verification
Message-ID: <20201020134208.GA297878@erythro.dev.benboeckel.internal>
Reply-To: list.lkml.keyrings@me.benboeckel.net
References: <20201020065001.13836-1-jlee@suse.com>
 <20201020065001.13836-3-jlee@suse.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20201020065001.13836-3-jlee@suse.com>
User-Agent: Mutt/1.14.6 (2020-07-11)
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Tue, Oct 20, 2020 at 14:50:01 +0800, Lee, Chun-Yi wrote:
> +config CHECK_CODESIGN_EKU
> +	bool "Check codeSigning extended key usage"
> +	depends on PKCS7_MESSAGE_PARSER=y
> +	depends on SYSTEM_DATA_VERIFICATION
> +	help
> +	  This option provides support for checking the codeSigning extended
> +	  key usage extension when verifying the signature in PKCS#7. It
> +	  affects kernel module verification and kexec PE binary verification
> +	  now.

Is the "now" necessary? Isn't it implied by the option's existence?

--Ben