Re: [PATCH v9 0/4] Check codeSigning extended key usage extension

From: joeyli
Date: Wed Aug 31 2022 - 04:30:20 EST


Hi Jarkko,

On Sun, Aug 28, 2022 at 06:30:23AM +0300, Jarkko Sakkinen wrote:
> On Thu, Aug 25, 2022 at 10:23:10PM +0800, Lee, Chun-Yi wrote:
> > NIAP PP_OS certification requests that OS need to validate the
> > CodeSigning extended key usage extension field for integrity
> > verifiction of exectable code:
> >
> > https://www.niap-ccevs.org/MMO/PP/-442-/
> > FIA_X509_EXT.1.1
> >
> > This patchset adds the logic for parsing the codeSigning EKU extension
> > field in X.509. And checking the CodeSigning EKU when verifying
> > signature of kernel module or kexec PE binary in PKCS#7.
>
> Might be cutting hairs here but you don't really explain
> why we want to support it. It's not a counter argument
> to add the feature. It's a counter argument against adding
> undocumented features.
>

In some cases, a organization may publish different certificates for
difference purposes. When a certificate for a specific purpose is
leaked, it will not affect other certificates.

The function for using a code signing certificate to verify kernel
binary or module can restrict the purpose of the certificate to avoid
attacker uses other leaked non-codeSigning certificate for signing.

Thanks a lot!
Joey Lee