git.karo-electronics.de Git - linux-beck.git/commit

author	David Howells <dhowells@redhat.com>
	Mon, 20 Jul 2015 20:16:27 +0000 (21:16 +0100)
committer	David Howells <dhowells@redhat.com>
	Fri, 7 Aug 2015 15:26:13 +0000 (16:26 +0100)
commit	3f1e1bea34740069f70c6bc92d0f712345d5c28e
tree	35ceac092ff7591536810cceecdbf22f4132b046	tree \| snapshot
parent	bc1c373dd2a5113800360f7152be729c9da996cc	commit \| diff

MODSIGN: Use PKCS#7 messages as module signatures

Move to using PKCS#7 messages as module signatures because:

(1) We have to be able to support the use of X.509 certificates that don't
     have a subjKeyId set.  We're currently relying on this to look up the
     X.509 certificate in the trusted keyring list.

(2) PKCS#7 message signed information blocks have a field that supplies the
     data required to match with the X.509 certificate that signed it.

(3) The PKCS#7 certificate carries fields that specify the digest algorithm
     used to generate the signature in a standardised way and the X.509
     certificates specify the public key algorithm in a standardised way - so
     we don't need our own methods of specifying these.

(4) We now have PKCS#7 message support in the kernel for signed kexec purposes
     and we can make use of this.

To make this work, the old sign-file script has been replaced with a program
that needs compiling in a previous patch.  The rules to build it are added
here.

Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>

Makefile		diff \| blob \| history
init/Kconfig		diff \| blob \| history
kernel/module_signing.c		diff \| blob \| history
scripts/Makefile		diff \| blob \| history
scripts/sign-file	[deleted file]	blob \| history