[PATCH 4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU

Add an openssl command option example for generating CodeSign extended key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU is enabled. Signed-off-by: "Lee, Chun-Yi" --- Documentation/admin-guide/module-signing.rst | 6 ++ 1 file changed, 6 insertions(+) diff --git a/Documentation/admin-guide/

[PATCH v4 0/4] Check codeSigning extended key usage extension

NIAP PP_OS certification requests that the OS shall validate the CodeSigning extended key usage extension field for integrity verifiction of exectable code: https://www.niap-ccevs.org/MMO/PP/-442-/ FIA_X509_EXT.1.1 This patchset adds the logic for parsing the codeSigning EKU extension

[PATCH 2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification

This patch adds the logic for checking the CodeSigning extended key usage when verifying signature of kernel module or kexec PE binary in PKCS#7. Signed-off-by: "Lee, Chun-Yi" --- certs/system_keyring.c | 2 +- crypto/asymmetric_keys/Kconfig | 9 + crypto/asymmetric

[PATCH 3/4] modsign: Add codeSigning EKU when generating X.509 key generation config

Add codeSigning EKU to the X.509 key generation config for the build time autogenerated kernel key. Signed-off-by: "Lee, Chun-Yi" --- certs/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..1ef4d6ca43b7 100644 --- a/certs/Makefile ++

[PATCH 1/4] X.509: Add CodeSigning extended key usage parsing

This patch adds the logic for parsing the CodeSign extended key usage extension in X.509. The parsing result will be set to the eku flag which is carried by public key. It can be used in the PKCS#7 verification. Signed-off-by: "Lee, Chun-Yi" --- crypto/asymmetric_keys/x509_cert_parser.c | 24 +++

Re: [GIT PULL] Crypto Update for 5.12

The pull request you sent on Mon, 15 Feb 2021 13:47:21 +1100: > git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git linus has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/31caf8b2a847214be856f843e251fc2ed2cd1075 Thank you! -- Deet-doot-dot, I am a bot

Re: KMSAN: uninit-value in __crypto_memneq (2)

On Sat, Jan 9, 2021 at 6:33 PM Dmitry Vyukov wrote: > > On Sat, Jan 9, 2021 at 6:14 PM Eric Biggers wrote: > > > > +Jason, since this looks WireGuard-related. > > I suspect that the uninit was created by geneve or batadv and then > just handed off to wireguard, which couldn't deal with it at that

Re: [PATCH v6 0/5] Enable root to update the blacklist keyring

David, Eric, what is the status of this patch series? On 10/02/2021 13:04, Mickaël Salaün wrote: > This new patch series is a rebase on David Howells's keys-misc branch. > This mainly fixes UEFI DBX and the new Eric Snowberg's feature to import > asymmetric keys to the blacklist keyring. > I succe