[Ksummit-discuss] [TECH TOPIC] Firmware signing
David Howells
dhowells at redhat.com
Tue Jul 28 16:44:39 UTC 2015
Andy Lutomirski <luto at amacapital.net> wrote:
> I'd really like to replace "the system trusted keyring" with
> purpose-specific lists of keys. There are keys we trust to sign
> modules, there are keys we trust to sign kexec things, there will be
> keys to trust to sign firmware for any device, etc.
I have some patches to restrict what a key is permitted to do - see the top
few patches here:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=fwsign-pkcs7
This involves marking the X.509 certs with the intended use case (or relying
on the existing CA stuff for key-signing keys).
I do put all the keys into one keyring on the basis that each key will be used
once and won't be added multiple times through separate X.509 certs that give
different usage restrictions for the same key. Given this, having just one
keyring works fine.
David
More information about the Ksummit-discuss
mailing list