[PATCH 1/3] [V6] Add support for GPG signature enforcement on booted
tpearson at raptorengineering.com
Thu Aug 18 19:50:41 AEST 2016
-----BEGIN PGP SIGNED MESSAGE-----
On 08/17/2016 02:57 PM, Nayna wrote:
> Is purpose of lockdown file only to enable/disable kernel signature
> verification ? And if kernel signature verification enabled then disable
> cmdline access ? or does it store any data also required during
> signature verification / decryption ?
This file serves two purposes. If it is present and not empty, the
lockdown mode is engaged. It also stores the authorized GPG signatures,
and whether the encrypted mode is enabled or not.
> I think we should create security directory within lib/ in petitboot
> code to keep all security specific functions in this directory.
> And then we can have lib/security. and gpg.c and gpg.h can be moved to
Agreed. Fixed in patch V7.
> Wouldn't it be more appropriate to move this function to lib/file/file.c
> ? Further more, does one of the existing function in file.c provide the
> same functionality and if this not needed.
This functionality did not exist. Function has been moved in patch V7.
> Thanks & Regards,
> - Nayna
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Petitboot