On Thu, Aug 25, 2022 at 10:23:10PM +0800, Lee, Chun-Yi wrote: > NIAP PP_OS certification requests that OS need to validate the > CodeSigning extended key usage extension field for integrity > verifiction of exectable code: > > https://www.niap-ccevs.org/MMO/PP/-442-/ > FIA_X509_EXT.1.1 > > This patchset adds the logic for parsing the codeSigning EKU extension > field in X.509. And checking the CodeSigning EKU when verifying > signature of kernel module or kexec PE binary in PKCS#7. Might be cutting hairs here but you don't really explain why we want to support it. It's not a counter argument to add the feature. It's a counter argument against adding undocumented features. BR, Jarkko
