Re: [PATCH] MODSIGN: Change default key details [ver #2]

From: David Woodhouse
Date: Mon May 18 2015 - 07:13:30 EST

Next message: Russell King - ARM Linux: "Re: [PATCH][V2] ARM: 8351/1: perf: fix memory leak on return"
Previous message: Catalin Marinas: "Re: [PATCH] arm64: support ACPI tables outside of kernel RAM"
In reply to: David Howells: "Re: [PATCH] MODSIGN: Change default key details [ver #2]"
Next in thread: Mimi Zohar: "Re: [PATCH] MODSIGN: Change default key details [ver #2]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2015-05-18 at 11:47 +0100, David Howells wrote:
> David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:
>
> > Why not just take multiple certs in PEM form in a single file, rather
> > than automatically including *.x509 in DER form? Wouldn't that be a
> > whole lot easier?
>
> No, for the following reasons:
>
> (1) Unless we want the kernel to be able to handle PEM form, they have to be
> converted to DER form for inclusion in system_certificates.S.

It's just base64. It's fairly trivial to convert.

> (2) We would have to combine the automatically generated signing cert with
> the added certs, though, admittedly, this could be done in
> system_certificates.S.

Yes, merging the signing cert (be it automatically generated or
otherwise) does need to be done. But that's easy enough. And I already
have work to do on processing the signing cert, to allow it to come
from the same PKCS#11 URI that specifies the key.

> (3) We've already told people they must drop DER certs into the source tree
> and distribution kernel packages are already doing this, so we have to
> make sure they get this right.

Yes, absolutely. But I think we can cope with that.

> You could make it so that the make process picks up .pem files and converts
> them to DER-encoded .x509 files.

I don't actually care whether it's PEM or DER form per se. What I
really care about is the horrid trick of automatically finding the
files to be included with a wildcard, and pulling them into the build.

That would be icky enough if we *weren't* going to *trust* the things!

With a PEM file it's common to have multiple certs in a single file,
and you could have a simple config option for the 'additional certs'
file which explicitly pulls it in. Rather than the current hack.

Doing that with multiple certs in the same file in DER form, if that
works, would also be tolerable. Although it's less normal to have a
file in that format.

--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Next message: Russell King - ARM Linux: "Re: [PATCH][V2] ARM: 8351/1: perf: fix memory leak on return"
Previous message: Catalin Marinas: "Re: [PATCH] arm64: support ACPI tables outside of kernel RAM"
In reply to: David Howells: "Re: [PATCH] MODSIGN: Change default key details [ver #2]"
Next in thread: Mimi Zohar: "Re: [PATCH] MODSIGN: Change default key details [ver #2]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]