Re: [GIT PULL] Load keys from signed PE binaries

From: Linus Torvalds
Date: Thu Feb 21 2013 - 13:57:03 EST


On Thu, Feb 21, 2013 at 10:34 AM, Peter Jones <pjones@xxxxxxxxxx> wrote:
> On Thu, Feb 21, 2013 at 10:25:47AM -0800, Linus Torvalds wrote:
>> - why do you bother with the MS keysigning of Linux kernel modules to
>> begin with?
>
> This is not actually what the patchset implements. All it's done here
> is using PE files as envelopes for keys. The usage this enables is to
> allow for whoever makes a module (binary only or merely out of tree for
> whatever reason) to sign it and vouch for it themselves. That could
> include, for example, a systemtap module.

Umm. And which part of "We already support that, using standard X.509
certificates" did we suddenly miss?

So no. The PE file thing makes no sense what-so-ever. What you mention
we can already do, and we already do it *better*.

Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/