Re: [PATCH] MODSIGN: Change default key details [ver #2]

[David Howells]

David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:

> Why not just take multiple certs in PEM form in a single file, rather
> than automatically including *.x509 in DER form? Wouldn't that be a
> whole lot easier? 

No, for the following reasons:

 (1) Unless we want the kernel to be able to handle PEM form, they have to be
     converted to DER form for inclusion in system_certificates.S.

 (2) We would have to combine the automatically generated signing cert with
     the added certs, though, admittedly, this could be done in
     system_certificates.S.

 (3) We've already told people they must drop DER certs into the source tree
     and distribution kernel packages are already doing this, so we have to
     make sure they get this right.

You could make it so that the make process picks up .pem files and converts
them to DER-encoded .x509 files.  You can cat a bunch of DER certs together
and the kernel will break them apart when it parses the single buffer that
contains all the certs.

We could even make the kernel handle PEM.  It shouldn't be very much overhead
since it's just a wrapping/encoding of the DER, right?

So it's by no means impossible, but it's not easier.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/