Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures

From: David Howells
Date: Tue Jul 28 2015 - 05:29:04 EST

Next message: Matt Fleming: "Re: [PATCH 2/5] i2c: i801: Create iTCO device on newer Intel PCHs"
Previous message: Mark Rutland: "Re: [PATCH 8/8] iio: mma8452: add devicetree property to allow all pin wirings"
In reply to: David Woodhouse: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:

> As part of the firmware signatures, if we are asked to check the
> filename then yes we should require it to be present *and* match. But
> if we aren't checking (which we can't for modules since we don't know
> what's being loaded), why require it to be present at all?

For firmware, that's in the next set of patches, at the tag
fwsign-pkcs7-20150720.

For modules we could require it not to be present since, as you say, there's
no way generally for the kernel check the module name requested. The only
thing it could really do is to extract the expected name from the PKCS#7 and
compare it against the name in the modinfo structure *after* checking the
signature. This would require passing the module name to sign-file too.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matt Fleming: "Re: [PATCH 2/5] i2c: i801: Create iTCO device on newer Intel PCHs"
Previous message: Mark Rutland: "Re: [PATCH 8/8] iio: mma8452: add devicetree property to allow all pin wirings"
In reply to: David Woodhouse: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]