Re: sign-file and detached PKCS#7 firmware signatures

From: David Howells
Date: Tue May 19 2015 - 14:48:40 EST

Next message: David Howells: "Re: [PATCH 10/8] modsign: Allow password to be specified for signing key"
Previous message: Andy Lutomirski: "Re: Should we automatically generate a module signing key at all?"
In reply to: Luis R. Rodriguez: "Re: sign-file and detached PKCS#7 firmware signatures"
Next in thread: Luis R. Rodriguez: "Re: sign-file and detached PKCS#7 firmware signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Luis R. Rodriguez <mcgrof@xxxxxxxx> wrote:

> I'll also mention:
>
> ---
> The $DIGEST_ALGORITHM needs to be supported on the running kernel and
> can differ from CONFIG_MODULE_SIG_HASH.
> ---
>
> As I do no think that is quite obvious to a system integrator at first.

Actually, this isn't necessarily so for the firmware.

It *is* for the module signing, but you can always load the module to give you
the digest algorithm (or public key algorithm) for the firmware.

Though you would still have to be careful with firmware loaded during the
initramfs phase.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Howells: "Re: [PATCH 10/8] modsign: Allow password to be specified for signing key"
Previous message: Andy Lutomirski: "Re: Should we automatically generate a module signing key at all?"
In reply to: Luis R. Rodriguez: "Re: sign-file and detached PKCS#7 firmware signatures"
Next in thread: Luis R. Rodriguez: "Re: sign-file and detached PKCS#7 firmware signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]