Re: [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification

All of lore.kernel.org
 help / color / mirror / Atom feed

From: joeyli <jlee@suse.com>
To: Varad Gautam <varad.gautam@suse.com>
Cc: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
	David Howells <dhowells@redhat.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S . Miller" <davem@davemloft.net>,
	Ben Boeckel <me@benboeckel.net>,
	Randy Dunlap <rdunlap@infradead.org>,
	Malte Gell <malte.gell@gmx.de>,
	keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification
Date: Fri, 21 May 2021 17:47:36 +0800	[thread overview]
Message-ID: <20210521094736.GP32436@linux-l9pv.suse> (raw)
In-Reply-To: <20210420062228.GA19927@linux-l9pv.suse>

Hi Varad,

On Tue, Apr 20, 2021 at 02:22:28PM +0800, Joey Lee wrote:
> Hi Varad,
> 
> Thanks for your review!
> 
> On Thu, Apr 15, 2021 at 02:08:32PM +0200, Varad Gautam wrote:
> > Hi Joey,
> > 
> > On 4/9/21 4:46 AM, Lee, Chun-Yi wrote:
> > > This patch adds the logic for checking the CodeSigning extended
> > > key usage when verifying signature of kernel module or
> > > kexec PE binary in PKCS#7.
> > > 
> > > Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
> > > ---
> > >  certs/system_keyring.c               |  2 +-
> > >  crypto/asymmetric_keys/Kconfig       |  9 +++++++++
> > >  crypto/asymmetric_keys/pkcs7_trust.c | 37 +++++++++++++++++++++++++++++++++---
> > >  include/crypto/pkcs7.h               |  3 ++-
> > >  4 files changed, 46 insertions(+), 5 deletions(-)
[...snip]
> > >  
> > >  matched:
> > > +	if (!check_codesign_eku(key, usage)) {
> > 
> > Perhaps this can be a generic check_eku_usage() call, with codesigning as one of the
> > things it can check for.
> >
> 
> Because only codesign EKU be checked now. So I prefer to keep it
> as my current implementation until there have other EKU requirement. 

I have reworked this patch for a bug be found by kernel test robot. I think
that your suggestion is good. So I change the function name to a more generic
name check_eku_by_usage() in my v7 patch set.

Thanks a lot!
Joey Lee

next prev parent reply	other threads:[~2021-05-21  9:48 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-09  2:46 [PATCH v5 0/4] Check codeSigning extended key usage extension Lee, Chun-Yi
2021-04-09  2:46 ` [PATCH 1/4] X.509: Add CodeSigning extended key usage parsing Lee, Chun-Yi
2021-04-09  2:46 ` [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Lee, Chun-Yi
2021-04-15 12:08   ` Varad Gautam
2021-04-20  6:22     ` joeyli
2021-05-21  9:47       ` joeyli [this message]
2021-04-09  2:46 ` [PATCH 3/4] modsign: Add codeSigning EKU when generating X.509 key generation config Lee, Chun-Yi
2021-04-09  2:46 ` [PATCH 4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU Lee, Chun-Yi
  -- strict thread matches above, loose matches on Subject: below --
2021-03-23  3:55 [PATCH v5 0/4] Check codeSigning extended key usage extension Lee, Chun-Yi
2021-03-23  3:55 ` [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Lee, Chun-Yi
2021-03-09  9:10 [PATCH v5 0/4] Check codeSigning extended key usage extension Lee, Chun-Yi
2021-03-09  9:10 ` [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Lee, Chun-Yi
2021-02-22  6:42 [PATCH v4 0/4] Check codeSigning extended key usage extension Lee, Chun-Yi
2021-02-22  6:42 ` [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Lee, Chun-Yi
2021-01-20  9:05 [PATCH v4 0/4] Check codeSigning extended key usage extension Lee, Chun-Yi
2021-01-20  9:05 ` [PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Lee, Chun-Yi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210521094736.GP32436@linux-l9pv.suse \
    --to=jlee@suse.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=joeyli.kernel@gmail.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=malte.gell@gmx.de \
    --cc=me@benboeckel.net \
    --cc=rdunlap@infradead.org \
    --cc=varad.gautam@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.