[PATCH 1/3] [V6] Add support for GPG signature enforcement on booted
Timothy Pearson
tpearson at raptorengineering.com
Thu Aug 18 19:50:41 AEST 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/17/2016 02:57 PM, Nayna wrote:
> Is purpose of lockdown file only to enable/disable kernel signature
> verification ? And if kernel signature verification enabled then disable
> cmdline access ? or does it store any data also required during
> signature verification / decryption ?
This file serves two purposes. If it is present and not empty, the
lockdown mode is engaged. It also stores the authorized GPG signatures,
and whether the encrypted mode is enabled or not.
> I think we should create security directory within lib/ in petitboot
> code to keep all security specific functions in this directory.
>
> And then we can have lib/security. and gpg.c and gpg.h can be moved to
> that.
Agreed. Fixed in patch V7.
> Wouldn't it be more appropriate to move this function to lib/file/file.c
> ? Further more, does one of the existing function in file.c provide the
> same functionality and if this not needed.
This functionality did not exist. Function has been moved in patch V7.
> Thanks & Regards,
> - Nayna
- --
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJXtYTxAAoJEK+E3vEXDOFb1DIH/Ay6ZgTfXUqkyn0/2osQg92n
yY//DDrlGSXPpC26I5n8zXH1EoOKn9yUw4S3MusFHjBlgtz67PZjEeNsAxYqt0LB
Qs2fBfDqSOMVjgza57A9go6ENWgf3A3y3s1ZA7H5dPfXVdwh5edpvoArtJqiwYbd
FslySrXIPTIANyoy+WEdcjS6IoxPcfEYJIg+PfSm+tnI9SeijzqTtq+AOM4KWnTu
mLRy6ksty9+8X3mjPHvMA6Jwhg3s7KItuR4SIluAshpCMAjr1iC2+1ITuciqvkHD
Trgk4smMNw9vHdcVVIsD9Wq5JWr3ZTIDoJ8hjHi2ahg7K5EKXIvNZzQ3Qv7tjxc=
=pOoC
-----END PGP SIGNATURE-----
More information about the Petitboot
mailing list