On Thu, Nov 21, 2013 at 11:03:50AM -0800, Greg KH wrote: > This could be done as we do with modules, and just tack the signature > onto the end of the 'blob' of the image. That way we could use the same > tool to sign the binary as we do for modules, and save the need for > extra parameters in the syscall. That would require a certain degree of massaging from userspace if we want to be able to use the existing Authenticode signatures. Otherwise we need to sign kernels twice. -- Matthew Garrett | mjg59 at srcf.ucam.org
