| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Nov 2012 08:48:34 -0400 From: Josh Boyer <jwboyer@...hat.com> To: Rusty Russell <rusty@...tcorp.com.au> Cc: dhowells@...hat.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] MODSIGN: Add modules_sign make target On Fri, Nov 02, 2012 at 01:49:14PM +1030, Rusty Russell wrote: > Josh Boyer <jwboyer@...hat.com> writes: > > > On Thu, Nov 01, 2012 at 06:03:18PM +1030, Rusty Russell wrote: > >> Josh Boyer <jwboyer@...hat.com> writes: > >> > >> > If CONFIG_MODULE_SIG is set, and 'make modules_sign' is called then this > >> > patch will cause the modules to get a signature appended. The make target > >> > is intended to be run after 'make modules_install', and will modify the > >> > modules in-place in the installed location. It can be used to produce > >> > signed modules after they have been processed by distribution build > >> > scripts. > >> > > >> > Signed-off-by: Josh Boyer <jwboyer@...hat.com> > >> > >> It's a bit of a niche case, but applied. > > > > Thanks. Whether you consider RPM built kernels niche or not doesn't > > matter to me. Having this upstream is one less patch we have to carry > > so I appreciate it a lot. > > My comment was more that this relies on eu-strip, because we always > sign modules on installation, so you need eu-strip to *unsign* them > (strip won't do it, BTW). Really? Which version of binutils are you using? The strip I have here seems to have no qualms about stripping off the signatures: [jwboyer@...alhost crypto]$ hexdump -C blowfish-x86_64.ko | tail -5 000315d0 29 a3 6d 5e 38 01 23 b5 d8 53 cf db 01 04 01 1e |).m^8.#..S......| 000315e0 14 00 00 00 00 00 02 02 7e 4d 6f 64 75 6c 65 20 |........~Module | 000315f0 73 69 67 6e 61 74 75 72 65 20 61 70 70 65 6e 64 |signature append| 00031600 65 64 7e 0a |ed~.| 00031604 [jwboyer@...alhost crypto]$ strip --strip-debug blowfish-x86_64.ko [jwboyer@...alhost crypto]$ hexdump -C blowfish-x86_64.ko | tail -5 00004c20 01 00 00 00 2b 00 00 00 00 00 00 00 00 00 00 00 |....+...........| 00004c30 50 01 00 00 00 00 00 00 01 00 00 00 33 00 00 00 |P...........3...| 00004c40 00 00 00 00 00 00 00 00 50 02 00 00 00 00 00 00 |........P.......| 00004c50 01 00 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 |..../...........| 00004c60 [jwboyer@...alhost crypto]$ rpm -qf `which strip` binutils-2.23.51.0.1-3.fc18.x86_64 [jwboyer@...alhost crypto]$ So that makes me very curious. > More general would be a modules_install_unsigned target to match this, > but since noone would use it, let's not write it :) Deal. josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists