| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Oct 2012 18:26:25 -0400 From: Josh Boyer <jwboyer@...il.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: David Miller <davem@...emloft.net>, Rusty Russell <rusty@...tcorp.com.au>, David Howells <dhowells@...hat.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: RFC: sign the modules at install time On Wed, Oct 17, 2012 at 4:36 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > This was based on the complaint from Davem that the "make > allmodconfig" build got way slower because module signing takes a > while. > > And quite frankly, the whole "extra strip and sign" thing at modpost > time was just nasty ugly code. > > Why don't we do something *much* simpler? We already have a > conditional stripping of modules (that whole INSTALL_MOD_STRIP) logic, > and it really simplifies everything if we just do something very > similar for the signing of modules. At "make modules_install" time, > exactly like the stripping is done. That is indeed simpler for the "build your own kernel" set of people. There's really nothing wrong with doing it from that perspective. It's a bit less safe than what David has now, but it achieves the goal of making kernel _builds_ faster. > Sure, it means that if you want to load modules directly from your > kernel build tree (without installing them), you'd better be running a > kernel that doesn't need the signing (or you need to sign things > explicitly). But seriously, nobody cares. If you are building a module > after booting the kernel with the intention of loading that modified > module, you aren't going to be doing that whole module signing thing > *anyway*. Signed modules make sense when building the kernel and > module together, so signing them as we install the kernel and module > is just sensible. Right, if you're building your own. > It seems to work for me from my (very very limited) testing. Comments? The downside is that it won't work for distros. Or at least the distros using RPM's debuginfo subpackage mechanism. There's a blog post here: http://jwboyer.livejournal.com/44787.html that covers why in greater detail, but the short if it is that the kernel is built by RPM, installed into the RPM_BUILD_ROOT, and _then_ the debuginfo generation is done. So that strips the signature off of the module at that point and the final kernel RPM winds up with no signed modules. I'll cleanup the patch we're currently carrying in Fedora and send it to the list tomorrow. My apologies for not getting it done today, but I'm a bit jet lagged and trying to catch up on other things after being gone for a few days. josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists