On Wed, Dec 17, 2014 at 01:22:21PM +0530, Balbir Singh wrote: > On Wed, Dec 17, 2014 at 12:16 PM, Jiri Kosina <jkosina@xxxxxxx> wrote: > > On Wed, 17 Dec 2014, Balbir Singh wrote: > > > >> >> Could you describe what this does to signing? I presume the patched > >> >> module should cause a taint on module signing? > >> > > >> > Hmm, why should it? > >> > >> I wanted to clarify it from a different perspective > >> > >> If the base image is signed by X and the patched module is signed by > >> Y, is that supported. What does it imply in the case of live-patching? > > > > Why should that matter? Both are signed by keys that kernel is configured > > to trust, which makes them equal (even though they are technically > > different). > > > > I am not sure they are equal, others can comment Since any loaded kernel module can do virtually anything on a machine, there can only be one level of trust. As such, all trusted keys are equally trusted. -- Vojtech Pavlik Director SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe live-patching" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
