David Woodhouse <[email protected]> wrote: > As part of the firmware signatures, if we are asked to check the > filename then yes we should require it to be present *and* match. But > if we aren't checking (which we can't for modules since we don't know > what's being loaded), why require it to be present at all?
For firmware, that's in the next set of patches, at the tag fwsign-pkcs7-20150720. For modules we could require it not to be present since, as you say, there's no way generally for the kernel check the module name requested. The only thing it could really do is to extract the expected name from the PKCS#7 and compare it against the name in the modinfo structure *after* checking the signature. This would require passing the module name to sign-file too. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
