linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz,
	mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
	dmitry.kasatkin@gmail.com, mcgrof@suse.com,
	linux-kernel@vger.kernel.org, seth.forshee@canonical.com,
	linux-security-module@vger.kernel.org, dwmw2@infradead.org
Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]
Date: Wed, 20 May 2015 14:36:09 +0100	[thread overview]
Message-ID: <31772.1432128969@warthog.procyon.org.uk> (raw)
In-Reply-To: <555BD715.40202@kernel.org>

Andy Lutomirski <luto@kernel.org> wrote:

> I think this is way more complicated than it has to be.  Can't we look up
> certificates by their subjectPublicKeyInfo?

I want to be able to handle an X.509 chain to a root key that we have in the
kernel.  X.509 certs don't chain on subjectPublicKeyInfo unless that happens
to be what's in the SKID (which is a pretty indefinite standard in its own
right:-( ).  So we need to be able to match on the two things I made available
anyway.  PKCS#7 matches on one of them too, so that then just works.

> Why is PKCS#7 better than whatever we're using now?

It has a standard form[*].  It has standard ways to specify things such as the
key to use and the digest to use.  It can carry multiple signatures from
different keys and can carry key chains (something that's more likely to be
useful for kexec or firmware, admittedly).  It can be generated by extant
tools (though adding it onto a module needs a special tool).

 [*] We can agree it's a somewhat, um, ropy standard, but it's still a
     standard.

What we're using now isn't very extensible without changing the magic string
or putting in an override in one of the fields.

David

  parent reply	other threads:[~2015-05-20 13:37 UTC|newest]

Thread overview: 71+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-15 12:35 [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] David Howells
2015-05-15 12:35 ` [PATCH 1/8] X.509: Extract both parts of the AuthorityKeyIdentifier " David Howells
2015-05-15 12:35 ` [PATCH 2/8] X.509: Support X.509 lookup by Issuer+Serial form " David Howells
2015-05-15 12:35 ` [PATCH 3/8] PKCS#7: Allow detached data to be supplied for signature checking purposes " David Howells
2015-05-15 12:35 ` [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module " David Howells
2015-05-20  0:50   ` Andy Lutomirski
2015-05-20 13:14   ` David Howells
2015-05-20 16:00     ` Andy Lutomirski
2015-05-15 12:36 ` [PATCH 5/8] MODSIGN: Use PKCS#7 messages as module signatures " David Howells
2015-05-15 12:36 ` [PATCH 6/8] sign-file: Add option to only create signature file " David Howells
2015-05-15 12:36 ` [PATCH 7/8] system_keyring.c doesn't need to #include module-internal.h " David Howells
2015-05-15 12:36 ` [PATCH 8/8] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing " David Howells
2015-05-15 13:46 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures " David Woodhouse
2015-05-15 16:52 ` [PATCH 1/4] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19  1:29   ` Mimi Zohar
2015-05-19  6:40     ` Woodhouse, David
2015-05-19 11:45       ` Mimi Zohar
2015-05-19 12:57         ` Woodhouse, David
2015-05-19 13:54           ` Mimi Zohar
2015-05-15 16:53 ` [PATCH 2/4] modsign: Allow external signing key to be specified David Woodhouse
2015-05-15 16:53 ` [PATCH 3/4] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19  1:37   ` Mimi Zohar
2015-05-15 16:54 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-15 19:07 ` sign-file and detached PKCS#7 firmware signatures David Howells
2015-05-18 23:13   ` Luis R. Rodriguez
2015-05-19  9:25   ` David Howells
2015-05-19 16:19     ` Luis R. Rodriguez
2015-05-19 16:48     ` David Howells
2015-05-19 18:21       ` Luis R. Rodriguez
2015-05-19 18:35       ` Luis R. Rodriguez
2015-05-19 18:47       ` David Howells
2015-05-19 20:12         ` Luis R. Rodriguez
2015-05-19 20:29         ` David Howells
2015-05-15 22:51 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Rusty Russell
2015-05-18 12:43 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Howells
2015-05-19 14:45 ` [PATCH 9/8] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 14:45 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 15:50   ` Petko Manolov
2015-05-19 16:15     ` David Woodhouse
2015-05-19 16:34       ` Petko Manolov
2015-05-19 18:39   ` Mimi Zohar
2015-05-19 18:48   ` David Howells
2015-05-19 19:14     ` Mimi Zohar
2015-05-19 20:04       ` David Woodhouse
2015-05-19 14:46 ` [PATCH 11/8] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-19 14:46 ` [PATCH 12/8] modsign: Allow external signing key to be specified David Woodhouse
2015-05-19 14:47 ` [PATCH 13/8] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Woodhouse
2015-05-19 15:36 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Howells
2015-05-20  0:36 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski
2015-05-20 13:36 ` David Howells [this message]
2015-05-20 15:56   ` Andy Lutomirski
2015-05-20 16:21     ` Petko Manolov
2015-05-20 16:41       ` Andy Lutomirski
2015-05-20 16:55         ` Petko Manolov
2015-05-21 21:38       ` Luis R. Rodriguez
2015-05-21 21:44         ` Andy Lutomirski
2015-05-21 21:59           ` Luis R. Rodriguez
2015-05-21 22:06             ` Andy Lutomirski
2015-05-21 22:16               ` Luis R. Rodriguez
2015-05-21 22:24                 ` Andy Lutomirski
2015-05-21 22:31                   ` Luis R. Rodriguez
2015-05-21 22:47                     ` Andy Lutomirski
2015-05-21 23:01                       ` Luis R. Rodriguez
2015-05-21 23:09                         ` Andy Lutomirski
2015-05-22  7:56                         ` David Howells
2015-05-22 12:42                           ` Mimi Zohar
2015-05-22  7:49         ` David Howells
2015-05-22  7:48       ` David Howells
2015-05-22 12:28         ` Mimi Zohar
2015-05-24 10:52           ` Petko Manolov
2015-05-21 13:59   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=31772.1432128969@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mcgrof@suse.com \
    --cc=mjg59@srcf.ucam.org \
    --cc=mmarek@suse.cz \
    --cc=rusty@rustcorp.com.au \
    --cc=seth.forshee@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).