On Jul 10, 2007, at 8:46 AM, C. Scott Ananian wrote: > Can't we just SHA1 the kernel+initrd bundle and sign the hash? SHA1 > should be fast enough...
The hashes we have available in OFW through the LTC code are Whirlpool and SHA-512. It's non-trivial to amend the list at this time. The current crypto code uses a slow(ish) and paranoid combination of the two hashes with two signature systems because it was designed to verify BIOS updates, where maximal paranoia is justified. We will want to adjust the system to drop down to a single hash algorithm and signature system for the normal boot integrity verification, which should make it quite a bit faster. -- Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org _______________________________________________ Devel mailing list [email protected] http://lists.laptop.org/listinfo/devel
