From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932258AbbEUOAG (ORCPT ); Thu, 21 May 2015 10:00:06 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50521 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932173AbbEUOAD (ORCPT ); Thu, 21 May 2015 10:00:03 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <555BD715.40202@kernel.org> <31772.1432128969@warthog.procyon.org.uk> To: Andy Lutomirski Cc: dhowells@redhat.com, Andy Lutomirski , Rusty Russell , Michal Marek , Matthew Garrett , keyrings@linux-nfs.org, Dmitry Kasatkin , Luis Rodriguez , "linux-kernel@vger.kernel.org" , Seth Forshee , LSM List , David Woodhouse Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <7236.1432216752.1@warthog.procyon.org.uk> Date: Thu, 21 May 2015 14:59:12 +0100 Message-ID: <7237.1432216752@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andy Lutomirski wrote: > That being said, are you actually planning on implementing X.509 chain > validation correctly? ISTM you can't really do it usefully, as we > don't even know what time it is when we run this code. We can't validate certificates based on time. We've been there, tried that and patched it out again. The problem is that we can't trust the system clock until we've done NTP - and possibly not even then. A dodgy or unset system clock can lead to the system not booting, even for installation. David