Re: [PATCH] MODSIGN: Change default key details [ver #2]

From: David Woodhouse
Date: Tue May 19 2015 - 11:19:22 EST


On Tue, 2015-05-19 at 15:14 +0100, David Howells wrote:
>
> > Right. In this very thread :-). But are you fine with using *.auto for
> > the generated files? I'll send a rebased series.
>
> Can you send me your patches and I'll add them to this:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7
>
> Then I can integrate them with David Woodhouse's patches in the same
> area and pass the branch on to James Morris.

We're talking about these three patches, yes?

https://lkml.org/lkml/2015/2/20/546
https://lkml.org/lkml/2015/5/4/614
https://lkml.org/lkml/2015/5/7/488

I think the third is obsolete now that we allow the user to provide
their own certificate + key by setting CONFIG_MODULE_SIG_KEY, because
the in-tree signing_key.{priv,x509} are *always* autogenerated.

The first two I don't think go far enough. I dislike automatically
picking up files that were lying around in the tree, and it's still
going to break if there's a file with a space in its name.

Let's just introduce a new Kconfig option for 'extra certificates' which
takes the filename of a PEM-format file. We can process that into DER
form with some fairly trivial modifications to scripts/extract-cert.c.

--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/