|
|
Subscribe / Log in / New account

Re: [GIT PULL] Load keys from signed PE binaries

From:  Linus Torvalds <torvalds-AT-linux-foundation.org>
To:  Matthew Garrett <mjg59-AT-srcf.ucam.org>
Subject:  Re: [GIT PULL] Load keys from signed PE binaries
Date:  Thu, 21 Feb 2013 08:58:45 -0800
Message-ID:  <CA+55aFy4k07GPmszkBdYvCE-KphKLVowkZoW7hoAvcR+0U=stg@mail.gmail.com>
Cc:  David Howells <dhowells-AT-redhat.com>, Josh Boyer <jwboyer-AT-redhat.com>, Peter Jones <pjones-AT-redhat.com>, Vivek Goyal <vgoyal-AT-redhat.com>, Kees Cook <keescook-AT-chromium.org>, keyrings-AT-linux-nfs.org, Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org>
Archive‑link:  Article

On Thu, Feb 21, 2013 at 8:42 AM, Matthew Garrett <mjg59@srcf.ucam.org> wrote:
>
> There's only one signing authority, and they only sign PE binaries.

Guys, this is not a dick-sucking contest.

If you want to parse PE binaries, go right ahead.

If Red Hat wants to deep-throat Microsoft, that's *your* issue.  That
has nothing what-so-ever to do with the kernel I maintain. It's
trivial for you guys to have a signing machine that parses the PE
binary, verifies the signatures, and signs the resulting keys with
your own key. You already wrote the code, for chissake, it's in that
f*cking pull request.

Why should *I* care? Why should the kernel care about some idiotic "we
only sign PE binaries" stupidity? We support X.509, which is the
standard for signing.

Do this in user land on a trusted machine. There is zero excuse for
doing it in the kernel.

               Linus



to post comments


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds