From: Jarkko Sakkinen <jarkko@kernel.org>
To: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Cc: David Howells <dhowells@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>,
Ben Boeckel <me@benboeckel.net>,
Randy Dunlap <rdunlap@infradead.org>,
Malte Gell <malte.gell@gmx.de>,
Varad Gautam <varad.gautam@suse.com>,
Mimi Zohar <zohar@linux.ibm.com>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>
Subject: Re: [PATCH v9 0/4] Check codeSigning extended key usage extension
Date: Sun, 28 Aug 2022 06:30:23 +0300 [thread overview]
Message-ID: <YwrhT0YLb87PtuEk@kernel.org> (raw)
In-Reply-To: <20220825142314.8406-1-jlee@suse.com>
On Thu, Aug 25, 2022 at 10:23:10PM +0800, Lee, Chun-Yi wrote:
> NIAP PP_OS certification requests that OS need to validate the
> CodeSigning extended key usage extension field for integrity
> verifiction of exectable code:
>
> https://www.niap-ccevs.org/MMO/PP/-442-/
> FIA_X509_EXT.1.1
>
> This patchset adds the logic for parsing the codeSigning EKU extension
> field in X.509. And checking the CodeSigning EKU when verifying
> signature of kernel module or kexec PE binary in PKCS#7.
Might be cutting hairs here but you don't really explain
why we want to support it. It's not a counter argument
to add the feature. It's a counter argument against adding
undocumented features.
BR, Jarkko
next prev parent reply other threads:[~2022-08-28 3:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-25 14:23 [PATCH v9 0/4] Check codeSigning extended key usage extension Lee, Chun-Yi
2022-08-25 14:23 ` [PATCH v9,1/4] X.509: Add CodeSigning extended key usage parsing Lee, Chun-Yi
2022-08-26 20:23 ` Jarkko Sakkinen
2022-08-31 7:31 ` joeyli
2022-08-25 14:23 ` [PATCH v9,2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification Lee, Chun-Yi
2022-08-28 3:34 ` Jarkko Sakkinen
2022-08-31 7:48 ` joeyli
2022-08-25 14:23 ` [PATCH v9,3/4] modsign: Add codeSigning EKU to the default Lee, Chun-Yi
2022-08-25 14:23 ` [PATCH v9,4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU Lee, Chun-Yi
2022-08-28 3:35 ` Jarkko Sakkinen
2022-08-31 7:54 ` joeyli
2022-08-28 3:30 ` Jarkko Sakkinen [this message]
2022-08-31 8:29 ` [PATCH v9 0/4] Check codeSigning extended key usage extension joeyli
-- strict thread matches above, loose matches on Subject: below --
2022-07-13 4:24 Lee, Chun-Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YwrhT0YLb87PtuEk@kernel.org \
--to=jarkko@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jlee@suse.com \
--cc=joeyli.kernel@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=malte.gell@gmx.de \
--cc=me@benboeckel.net \
--cc=rdunlap@infradead.org \
--cc=varad.gautam@suse.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.