From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754332AbbG0UqJ (ORCPT ); Mon, 27 Jul 2015 16:46:09 -0400 Received: from mail.kernel.org ([198.145.29.136]:42443 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750858AbbG0UqH (ORCPT ); Mon, 27 Jul 2015 16:46:07 -0400 Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures To: David Howells , jmorris@namei.org References: <5299.1438025624@warthog.procyon.org.uk> Cc: dwmw2@infradead.org, mcgrof@gmail.com, keyrings@linux-nfs.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org From: Andy Lutomirski Message-ID: <55B6988D.4060805@kernel.org> Date: Mon, 27 Jul 2015 13:46:05 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <5299.1438025624@warthog.procyon.org.uk> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/27/2015 12:33 PM, David Howells wrote: > Hi James, > > Can you pull this into security/next please? Its aim is twofold: firstly, > make the module signatures of PKCS#7/CMS format rather than a home-brewed > format and secondly to pave the way for use of the signing code for > firmware signatures (to follow later). With all this stuff applied, will the kernel accept PKCS#7 signatures that *don't* have authenticated attributes or that are otherwise cryptographically insecure in that they fail to provide the property that an attacker can't manipulate a valid signature on one message to look like a valid signature on a different message? It looks like fixing that might actually be important if anyone ever wants to use this for firmware signing. At least there's no issue with newer kernels needing to accept module signautures generated by old tools, since the newer kernels won't accept the underlying modules anyway. --Andy