On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote: > On Wed, 2019-12-04 at 14:33 +0000, Paul Moore (pmoore2) wrote: > > Can you elaborate a bit more on what you mean by "the root of > > certificate"? Alternatively, could you upload the kernel and > > signing > > certificate somewhere I could grab so I can play with it? > > Maybe I used wrong words, I am talking about pkcs1_search_signer > function and following lines: > > if (!asn1_blob_cmp(&entry->cert.serial, serial) && > !asn1_blob_cmp(&entry->cert.ca->subject, subject)) > > If I change them to > > if (!asn1_blob_cmp(&entry->cert.serial, serial) && > !asn1_blob_cmp(&entry->cert.subject, subject)) > > it will find my certificate.
Thanks, that makes it much more clear. One of the benefits of sharing code is that it helps remove any uncertainties. :) > Could you please explain me why are you > using serial from root of entry and subject from sub-element? Is it > connected with certificate chain? What if there is just the simplest > possible certificate that is not signed by anybody? That does look a little odd, doesn't it? It's likely left over from a rework of the code during development that wasn't caught because of 1) it worked on my Fedora based test cases, and 2) I haven't really gone over all of the code yet to make sure it is "sane" ;) I know I've said this before, but please consider all of this code still a very rough prototype. Normally I wouldn't share code of this quality, but since there are a large number of uncertainties surrounding this work (e.g. is this approach reasonable? are the policy changes okay? etc.) I felt the advantages of sharing this code at such an early stage outweighed the risks. > I have uploaded certificate and key that I have generated here: > https://cloud.hawrylko.pl/s/ivHd7HZpuLIjQ88 there is also a signed > bzImage that I am using. Great, thank you. I'll take a closer look. > On Thu, 2019-12-05 at 17:20 +0000, Paul Moore (pmoore2) wrote: > > A question for discussion: if the VLP is loaded from it's own > > nvindex, > > and there is also a VLP present inside the LCP, which VLP do we want > > to > > use? I'm assuming it is the VLP we loaded directly, and not from > > inside > > the LCP, but thought it was worth checking. > > > > In "stock" TBOOT, VLP loaded from its own index has higher priority > over > one embedded in LCP, so I agree with you that here it should work like > that. > > Thanks, > Lukasz > _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel