| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Aug 2012 13:52:23 -0400 From: Josh Boyer <jwboyer@...il.com> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: "Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>, jmorris@...ei.org, rusty@...tcorp.com.au, dhowells@...hat.com, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [RFC v2 7/7] modsig: build rules and scripts to generate keys and sign modules On Fri, Aug 17, 2012 at 1:44 PM, Josh Boyer <jwboyer@...il.com> wrote: >> I still think the signed_modules_install script, renamed to something >> like ephemeral_signed_modules_install, is worthwhile and becomes a >> convience tool for the developer, wanting to use ephemeral keys. The >> private key, in Dmitry's updated patches soon to be posted, will be >> password protected with a random number, that is only accessible to the >> current shell. > > I think the existence of an additional make target for signed modules > is really confusing. Particularly when you consider the target still > exists even if the kernel isn't setup to work with signed modules. If > the config options are set, just have 'make modules_install' do it and > create a key if one doesn't exist (or better yet, have 'make' do it). > > Also... password protecting the key that only responds to the current > shell really sounds like a show-stopper for this being used by distros. > There is no way a distro is going to be able to type a password in > during a kernel build. It completely removes the usability of distros > that want to use a per-kernel build ephemeral key. If you're going to > do this, please wrap it in a kconfig option so the second distro case > I mentio above is still possible. Here's a suggestion that might help the discussion. In the next revision of the patch set, include a document in Documentation/ that covers the module signing design, the purposes it's intended to fit, and a high level description of the various module loading scenarios (signed, unsigned, signed with a key not in the keyring, etc). That way we can at least see at a higher level what the thinking behind the implemenation is. I think some of our back and forth (while good!) is because we see signed modules being used for different purposes. josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists