Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1875347rwe;
        Sat, 27 Aug 2022 20:38:36 -0700 (PDT)
X-Google-Smtp-Source: AA6agR7MxS1+5YUQoRwBPgwX/25VrwOjfW/l1Vvxsp1XVNX9TWrgZ+8bKH2O0V8PwNEgN4b4lR8V
X-Received: by 2002:a17:906:cc5d:b0:73f:e0cd:9e64 with SMTP id mm29-20020a170906cc5d00b0073fe0cd9e64mr5658415ejb.536.1661657916687;
        Sat, 27 Aug 2022 20:38:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661657916; cv=none;
        d=google.com; s=arc-20160816;
        b=YyChlUT4GzSKcLWQNG8VdFqA/9vbuw+rfGIt0nc74E0iCP+7DLbVix0ym6GVXLhvk0
         wv1fiwwYoVz/veoSn6rZBWRW92Ajd4HwClvdZFtN9vfhEE7HJBvDTSYZV+mngR/yaRmW
         wShoPasx49zCFyMSymJAHyF4T3B+NYdyZA/BbpJOEozelIy4p8wZZBMBUbFWIKAVSrIN
         Lmn8He/dijFZQ2ScKAakNnMTRMFhPLhC629E/jeGBMao1uS/caNmCgUK0XIXZJOABgul
         q5t0UyBEuZFzJZSY+TmCsSSzYlNkW5AJ7LLfBQRmd+dhPdPJHwJBtyBJGiFt9ieJ7947
         +6EA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=MT9h1wG90s+gewdgXu4hk5pegPWWkMn95WuYy8O9kBg=;
        b=hVF3GWAK2VRUe597GprykQE9W9P7EDXYcqUK+eBLC4skWP1i18tBWzc3D4FMX8QrF/
         Iiqf3khAsUkd6Fa4vEzLAKORg3dIitDUEVP7UItE0D7o75n6ZRd5OB+RbSJlYAOuEhvs
         1EvZGVF2IfZwpDPcuGnZgK1yUZ5xw3tPrOsFLZrTK5zT6IG3jfO//3rW4UJgBXubt5sD
         COcJ5e+t6YdQPpr72056uvhTuFSAJRMVRWdVuzMjx/jZqFKyuL/Ygg9F1qKHM58KpvUJ
         6yFcAcTw0G4KpSMwMOFSkHdiiVut21LDKGEjEhZjEy7+UdElSWxyjy9b/p8vskQTIppG
         jsGA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=lP1xoofb;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id qb10-20020a1709077e8a00b00730a2437555si4505562ejc.796.2022.08.27.20.38.12;
        Sat, 27 Aug 2022 20:38:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=lP1xoofb;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231628AbiH1Dfo (ORCPT <rfc822;ooo213ooo@gmail.com> + 99 others);
        Sat, 27 Aug 2022 23:35:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51602 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229561AbiH1Dfh (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Sat, 27 Aug 2022 23:35:37 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 949AA1117A;
        Sat, 27 Aug 2022 20:35:34 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 8CE3FB8074D;
        Sun, 28 Aug 2022 03:35:33 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E429AC433C1;
        Sun, 28 Aug 2022 03:35:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1661657732;
        bh=VVcfpsNAHLF7P2X/HpJhkcgqiHaLv9trHdwPqqtHf4U=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=lP1xoofbRH+7IuhG0M9PVmRp2TtnfVdOm/YvovczKk1p6tYwKlpH2C1p2aMwvv7zn
         BvjL9OxUC7UkU/CM89ZtP7d/tGCs1mW4BsF5zRKV8nUhkJ0X/5ewgjA7Wvhvlp1ifd
         TL3IDIRKu93pbiMWnIrO5pec0BnjkgT3NxBsnOdvLCyfycKyyzaOYz1oYJcq6qA2wq
         lbjcw95GZMjIUQoZ41OQUn69sU9A0Bk/l1FGoyI2Poa1Z44prkoJ9QoFp6ingW8+H/
         4dQ8VLEZRIgTkdfYlvjDX+MgHHoV9NRfAbjKPc5LvTppPb5DuHQeqWn5745bMlqcDd
         nSP/pscpW5uUg==
Date:   Sun, 28 Aug 2022 06:35:24 +0300
From:   Jarkko Sakkinen <jarkko@kernel.org>
To:     "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Cc:     David Howells <dhowells@redhat.com>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>,
        Ben Boeckel <me@benboeckel.net>,
        Randy Dunlap <rdunlap@infradead.org>,
        Malte Gell <malte.gell@gmx.de>,
        Varad Gautam <varad.gautam@suse.com>,
        Mimi Zohar <zohar@linux.ibm.com>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: Re: [PATCH v9,4/4] Documentation/admin-guide/module-signing.rst: add
 openssl command option example for CodeSign EKU
Message-ID: <YwrifCrlJceNG5He@kernel.org>
References: <20220825142314.8406-1-jlee@suse.com>
 <20220825142314.8406-5-jlee@suse.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220825142314.8406-5-jlee@suse.com>
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Thu, Aug 25, 2022 at 10:23:14PM +0800, Lee, Chun-Yi wrote:
> Add an openssl command option example for generating CodeSign extended
> key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU is enabled.
> 
> Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
> ---
>  Documentation/admin-guide/module-signing.rst | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
> index 7d7c7c8a545c..ca3b8f19466c 100644
> --- a/Documentation/admin-guide/module-signing.rst
> +++ b/Documentation/admin-guide/module-signing.rst
> @@ -170,6 +170,12 @@ generate the public/private key files::
>  	   -config x509.genkey -outform PEM -out kernel_key.pem \
>  	   -keyout kernel_key.pem
>  
> +When ``CONFIG_CHECK_CODESIGN_EKU`` option is enabled, the following openssl
> +command option should be added where for generating CodeSign extended key usage

You have:

1. codeSign
2. CodeSign
3. CodeSigning

Why this ambiguity?

> +in X.509::
> +
> +        -addext "extendedKeyUsage=codeSigning"
> +
>  The full pathname for the resulting kernel_key.pem file can then be specified
>  in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will
>  be used instead of an autogenerated keypair.
> -- 
> 2.26.2
> 

BR, Jarkko