lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 12 Mar 2018 14:28:25 +0100
From:   Jessica Yu <jeyu@...nel.org>
To:     Jia Zhang <zhang.jia@...ux.alibaba.com>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 0/4] modsign enhancement

+++ Jia Zhang [08/03/18 12:26 +0800]:
>This patch series allows to disable module validity enforcement
>in runtime through /sys/kernel/security/modsign/enforce interface.
>
>Assuming CONFIG_MODULE_SIG_FORCE=y, here are the instructions to
>disable the validity enforcement.
>
># cat /sys/kernel/security/modsign/enforce
># echo -n 0 > data
># openssl smime -sign -nocerts -noattr -binary -in data \
>    -inkey <system_trusted_key> -signer <cert> -outform der \
>    -out /sys/kernel/security/modsign/enforce
>
>Now enable enforcement again on demand.
>
># echo 1 > /sys/kernel/security/modsign/enforce
>
>Changelog:
>v2:
>- Support to disable validity enforcement in runtime.

NAK - please use /sys/module/module/parameters/sig_enforce.

And I would rather keep this parameter bool_enable_only, plain and simple.
What use case do you have/why would you want to disable signature
enforcement - after having enabled it - during runtime?  None of this
is explained nor justified in the cover letter.

Thanks,

Jessica

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ