| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Feb 2014 23:58:21 +0000 (UTC) From: Mathieu Desnoyers <mathieu.desnoyers@...icios.com> To: Rusty Russell <rusty@...tcorp.com.au> Cc: Steven Rostedt <rostedt@...dmis.org>, Ingo Molnar <mingo@...nel.org>, linux-kernel@...r.kernel.org, Ingo Molnar <mingo@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, David Howells <dhowells@...hat.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: Re: [RFC PATCH] Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE ----- Original Message ----- > From: "Rusty Russell" <rusty@...tcorp.com.au> > To: "Steven Rostedt" <rostedt@...dmis.org> > Cc: "Ingo Molnar" <mingo@...nel.org>, "Mathieu Desnoyers" <mathieu.desnoyers@...icios.com>, > linux-kernel@...r.kernel.org, "Ingo Molnar" <mingo@...hat.com>, "Thomas Gleixner" <tglx@...utronix.de>, "David > Howells" <dhowells@...hat.com>, "Greg Kroah-Hartman" <gregkh@...uxfoundation.org> > Sent: Thursday, February 13, 2014 7:51:19 PM > Subject: Re: [RFC PATCH] Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE > > Steven Rostedt <rostedt@...dmis.org> writes: > > On Thu, 13 Feb 2014 13:54:42 +1030 > > Rusty Russell <rusty@...tcorp.com.au> wrote: > > > > > >> I'm ambivalent towards out-of-tree modules, so not tempted unless I see > >> a bug report indicating a concrete problem. Then we can discuss... > > > > As I replied in another email, this is a concrete problem, and affects > > in-tree kernel modules. > > > > If you have the following in your .config: > > > > CONFIG_MODULE_SIG=y > > # CONFIG_MODULE_SIG_FORCE is not set > > # CONFIG_MODULE_SIG_ALL is not set > > This means you've set the "I will arrange my own module signing" config > option: > > Sign all modules during make modules_install. Without this option, > modules must be signed manually, using the scripts/sign-file tool. > > comment "Do not forget to sign required modules with scripts/sign-file" > depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL > > Then you didn't do that. You broke it, you get to keep both pieces. > > Again: is there an actual valid use case? One use-case where this is biting us for in-tree modules is when a user or developer recompile modules against a distribution kernel which has CONFIG_MODULE_SIG set (and possibly CONFIG_MODULE_SIG_ALL), but do not recompile the kernel per se. That user/developer might want to try out a local modification to one of his modules (which is something within the user's rights given by the GPL), or want to add tracepoints to a module to figure out what is going wrong. It is then not possible to sign the recompiled modules, since it makes no sense to expect distribution vendors to ever distribute their private signing keys; that would defeat the whole point of signing. In those cases, when loaded in a kernel that is not enforcing module signature, the recompiled modules will taint the kernel and modules with "TAINT_FORCED_MODULE" (which is a lie: the modules can be loaded without --force), and the tracepoints sitting in that module are silently ignored (which is a bug). Thanks, Mathieu -- Mathieu Desnoyers EfficiOS Inc. http://www.efficios.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists