linux

iv/linux

History

David Howells 3f1e1bea34 MODSIGN: Use PKCS#7 messages as module signatures

Move to using PKCS#7 messages as module signatures because:

 (1) We have to be able to support the use of X.509 certificates that don't
     have a subjKeyId set.  We're currently relying on this to look up the
     X.509 certificate in the trusted keyring list.

 (2) PKCS#7 message signed information blocks have a field that supplies the
     data required to match with the X.509 certificate that signed it.

 (3) The PKCS#7 certificate carries fields that specify the digest algorithm
     used to generate the signature in a standardised way and the X.509
     certificates specify the public key algorithm in a standardised way - so
     we don't need our own methods of specifying these.

 (4) We now have PKCS#7 message support in the kernel for signed kexec purposes
     and we can make use of this.

To make this work, the old sign-file script has been replaced with a program
that needs compiling in a previous patch.  The rules to build it are added
here.

Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>

2015-08-07 16:26:13 +01:00

calibrate.c

kernel: add calibration_delay_done()

2014-06-16 12:47:39 -06:00

do_mounts_initrd.c

usermodehelper: split remaining calls to call_usermodehelper_fns()

2013-04-30 17:04:06 -07:00

do_mounts_md.c

init: disable sparse checking of the mount.o source files

2012-05-31 17:49:27 -07:00

do_mounts_rd.c

initramfs: support initramfs that is bigger than 2GiB