Hi Eric, On Wed, Mar 29, 2017 at 7:22 PM, Eric McCorkle <e...@metricspace.net> wrote: >... > == Specifics == > >... > > * A signed ELF will definitely contain a .sign section containing a > single detached signature in PKCS#7 format with DER encoding.
I'm concerned about the complexity of parsing PKCS#7 (including ASN.1) in places that need to validate signed objects. In particular, the kernel (for runtime-loaded objects). Complex parsers are a common source of security bugs, so PKCS#7 doesn't seem like a good fit for security-critical code like the kernel syscall interface. Could a more minimal format take the place of PKCS#7 in .sign sections? Thanks, Conrad _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
