Skip to content
  • David Howells's avatar
    MODSIGN: Use PKCS#7 messages as module signatures · 3f1e1bea
    David Howells authored
    
    
    Move to using PKCS#7 messages as module signatures because:
    
     (1) We have to be able to support the use of X.509 certificates that don't
         have a subjKeyId set.  We're currently relying on this to look up the
         X.509 certificate in the trusted keyring list.
    
     (2) PKCS#7 message signed information blocks have a field that supplies the
         data required to match with the X.509 certificate that signed it.
    
     (3) The PKCS#7 certificate carries fields that specify the digest algorithm
         used to generate the signature in a standardised way and the X.509
         certificates specify the public key algorithm in a standardised way - so
         we don't need our own methods of specifying these.
    
     (4) We now have PKCS#7 message support in the kernel for signed kexec purposes
         and we can make use of this.
    
    To make this work, the old sign-file script has been replaced with a program
    that needs compiling in a previous patch.  The rules to build it are added
    here.
    
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: default avatarVivek Goyal <vgoyal@redhat.com>
    3f1e1bea