[PATCH 1/2] [V3] Add support for GPG signature enforcement on booted

[Timothy Pearson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/11/2016 08:46 PM, Samuel Mendoza-Jonas wrote:
> While overall the function of the signature checking/etc looks pretty
> good to me, this still adds a /whole/ lot of code to a fairly generic file.
> Would it make more sense to do something like
> 
> 	if (task->verify_signature) {
> 		rc = do_gpg_stuff() // possibly asynchronously?
> 		if (rc)
> 			//cancel boot
> 	}
> 
> So that all the signature-specific code is self contained in gpg.c, and
> boot.c just calls out to it if needed?
> We could also avoid adding all the foo_signature and local_foo_signature
> fields to the boot_task struct, and assuming all checks passed gpg.c can
> just update the existing local paths of the kernel/initrd/etc..

OK, I think I understand what you want to see now.  Fixed in V4 of the
patchset.


> If we're just changing the item name but not the callback, this could
> just be
> 
> 	if (lockdown)
> 		i = pmenu_item_create(m, _("Reboot"));
> 	else
> 		i = pmenu_item_create(m, _("Exit to shell"));
> 	i->on_execute.....
> 
> Since these UI changes aren't related to the changes to booting, they
> would be better of as a separate patch.

Done in V4 of the patchset.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJXrkoUAAoJEK+E3vEXDOFb/JIH/19q8fqe3HjzdOu1Rz028fkk
lXwFuiiU48JB1qq6RA2U5j1Tr8DsgM1fus5fw+G6GmAoOXJPoXXVnNfJgrMK4H+F
v8ZYhZ9AhJHpKQvCJbOOxqZqXu7g5yFmsR5vTzISwVOeQ6HxYygrE3cJ8aD8KVCD
roAqWZy8UKBjmuM0s8KF+Ht3qOBQpwZrOeIw7r6U4yKAul6ncfNY3P7/Ayp6N55v
05kmbOiCgqjjoWRvfka3PpTVRDfgWGp9lnonJ5afSVStdSSy8ak/zHsGeVT538UW
itdD88rYgHW8414YLsTFkLt9+rWpkRnDFhd8/ojsfvDtw34PxCTkff7Itz91Xio=
=HIbT
-----END PGP SIGNATURE-----