Hi Jarkko, On Sun, Aug 28, 2022 at 06:30:23AM +0300, Jarkko Sakkinen wrote: > On Thu, Aug 25, 2022 at 10:23:10PM +0800, Lee, Chun-Yi wrote: > > NIAP PP_OS certification requests that OS need to validate the > > CodeSigning extended key usage extension field for integrity > > verifiction of exectable code: > > > > https://www.niap-ccevs.org/MMO/PP/-442-/ > > FIA_X509_EXT.1.1 > > > > This patchset adds the logic for parsing the codeSigning EKU extension > > field in X.509. And checking the CodeSigning EKU when verifying > > signature of kernel module or kexec PE binary in PKCS#7. > > Might be cutting hairs here but you don't really explain > why we want to support it. It's not a counter argument > to add the feature. It's a counter argument against adding > undocumented features. > In some cases, a organization may publish different certificates for difference purposes. When a certificate for a specific purpose is leaked, it will not affect other certificates. The function for using a code signing certificate to verify kernel binary or module can restrict the purpose of the certificate to avoid attacker uses other leaked non-codeSigning certificate for signing. Thanks a lot! Joey Lee
