lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87boriouwa.fsf@rustcorp.com.au>
Date:	Fri, 09 Dec 2011 21:48:45 +1030
From:	Rusty Russell <rusty@...abs.org>
To:	David Howells <dhowells@...hat.com>, keyrings@...ux-nfs.org
Cc:	linux-crypto@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, dmitry.kasatkin@...el.com,
	zohar@...ux.vnet.ibm.com, arjan.van.de.ven@...el.com,
	alan.cox@...el.com, David Howells <dhowells@...hat.com>
Subject: Re: [PATCH 21/21] MODSIGN: Apply signature checking to modules on module load [ver #3]

On Fri, 02 Dec 2011 18:46:51 +0000, David Howells <dhowells@...hat.com> wrote:
> Signed modules may be safely stripped as the signature only covers those parts
> of the module the kernel actually uses and any ELF metadata required to deal
> with them.  Any necessary ELF metadata that is affected by stripping is
> canonicalised by the sig generator and the sig checker to hide strip effects.
> 
> This permits the debuginfo to be detached from the module and placed
> in another spot so that gdb can find it when referring to that module
> without the need for multiple signed versions of the module.  Such is
> done by rpmbuild when producing RPMs.
> 
> It also permits the module to be stripped as far as possible for when modules
> are being reduced prior to being included in an initial ramdisk composition.

And adds a great deal of code in a supposedly security-sensitive path to
achieve it.

How about simply append a signature to the module?  That'd be about 20
lines of code to carefully check the bounds of the module to figure out
where the signature is.  You could even allow multiple signatures, then
have one for stripped, and one for non-stripped versions.

Sure, you now need to re-append that after stripping, but that's not the
kernel's problem.

Cheers,
Rusty.
PS.  Yay for finding out about module patches via LWN!  How would you
     get this in without my ack, FFS?
  
  
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ