[Ksummit-discuss] Last minute nominations: mcgrof and toshi
James Bottomley
James.Bottomley at HansenPartnership.com
Tue Aug 2 00:33:51 UTC 2016
On Mon, 2016-08-01 at 14:14 -0700, Andy Lutomirski wrote:
> struct linux_blob_signed_data {
> unsigned char magic[8]; // "LINUXSIG" -- for domain separation in
> case someone messes up
> uint32_t version; // = 1
> unsigned char sha256[32]; // SHA256 hash of the blob
> uint32_t type; // what type of thing this is (firmware, etc)
> unsigned char description[]; // the remainder of the structure is
> "iwlwifi-whatever.ucode", etc.
> };
Where's the signature in this? I see a hash but not a signature.
However since you NAK'd them: now you're reinventing stuff pkcs7
already has. pkcs7 has ASN.1 encodings of the hash and the signature,
so no need to repeat it in a non standard way. In fact, since the
kernel already understands pkcs7, why not just use it (DER encoded).
pkcs7 can do an attached and detached signature format, so we could
just simply use it to package signed modules.
James
More information about the Ksummit-discuss
mailing list