Re: [PATCH] MODSIGN: Change default key details [ver #2]

[Mimi Zohar]

On Mon, 2015-05-18 at 12:13 +0100, David Woodhouse wrote:
> On Mon, 2015-05-18 at 11:47 +0100, David Howells wrote:
> > David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:

> > You could make it so that the make process picks up .pem files and converts
> > them to DER-encoded .x509 files. 
> 
> I don't actually care whether it's PEM or DER form per se. What I
> really care about is the horrid trick of automatically finding the
> files to be included with a wildcard, and pulling them into the build.
> 
> That would be icky enough if we *weren't* going to *trust* the things! 

Agreed!  There's no reason for having them in the root of the build
tree.

> With a PEM file it's common to have multiple certs in a single file,
> and you could have a simple config option for the 'additional certs'
> file which explicitly pulls it in. Rather than the current hack.

> Doing that with multiple certs in the same file in DER form, if that
> works, would also be tolerable. Although it's less normal to have a
> file in that format.

Either method would be preferable.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/