Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]

From: David Howells
Date: Thu May 21 2015 - 10:00:10 EST

Next message: Ingo Molnar: "Re: [RFC PATCH] x86/64: Optimize the effective instruction cache footprint of kernel functions"
Previous message: Kalle Valo: "Re: [PATCH] ath9k_htc: wmi: match wait_for_completion_timeout return type"
In reply to: Mimi Zohar: "Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:

> That being said, are you actually planning on implementing X.509 chain
> validation correctly? ISTM you can't really do it usefully, as we
> don't even know what time it is when we run this code.

We can't validate certificates based on time. We've been there, tried that
and patched it out again. The problem is that we can't trust the system clock
until we've done NTP - and possibly not even then. A dodgy or unset system
clock can lead to the system not booting, even for installation.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [RFC PATCH] x86/64: Optimize the effective instruction cache footprint of kernel functions"
Previous message: Kalle Valo: "Re: [PATCH] ath9k_htc: wmi: match wait_for_completion_timeout return type"
In reply to: Mimi Zohar: "Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]