lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 10 Dec 2011 10:54:48 -0800
From:	Arjan van de Ven <arjan@...ux.intel.com>
To:	Arkadiusz Miśkiewicz <a.miskiewicz@...il.com>
CC:	David Howells <dhowells@...hat.com>, jmorris@...ei.org,
	linux-security-module@...r.kernel.org, keyrings@...ux-nfs.org,
	linux-kernel@...r.kernel.org, dmitry.kasatkin@...el.com,
	zohar@...ux.vnet.ibm.com, alan@...rguk.ukuu.org.uk
Subject: Re: [GIT PULL] Crypto keys and module signing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/10/2011 3:42 AM, Arkadiusz Miśkiewicz wrote:
> On Wed, Dec 7, 2011 at 3:47 PM, David Howells <dhowells@...hat.com>
> wrote:
>> 
>> Hi James,
>> 
>> Could you pull my module signing code into the security tree?
>> The patches can be viewed here:
>> 
>> http://git.kernel.org/?p=linux/kernel/git/dhowells/linux-modsign.git;a=shortlog;h=refs/heads/devel
>
>> 
> If I understand it is not possible to sign modules after they are 
> built and load keys without actually rebuilding kernel?

only if the end user chooses to enforce the signature.

> 
> For distro kernel the public and secret keys have to be available 
> publicly, right? Otherwise people using distro kernels won't be
> able to build own signed modules for use with that distro kernel.

That's a distro choice, but... again:

only if the user chooses to enforce the signature.
Very few people actually build their own modules, and for the people
that don't, they can chose to harden their server by only allowing
signed (eg distro shipped) modules.

For those who prefer to build a few other things and still want
security, they can also rebuild the kernel.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJO46r4AAoJEEHdSxh4DVnE39cIALufzQHXgIycaRnImtEWSPrq
PN5ac052lb59YGEbSsUF/Er/SOLfdwJQbD2Gz2/0QCPWfpb64pozDDwFh1IhvvEp
q4D/1wAJBXOaEj1FESPxHkbwvdYe701pgLq0ERQu4SSx69wNMFXNMmp06Jbxuujp
ZRhQcuJQsd76mJi8MZ2f9qnzR+3MQ9zFGK2alqDfb0WiELBc+Cz1nj2tCXrB5AFa
7osPZJK2iBcD+2sfryMEuJWxOjWxm/ZiEz2oIV0vRtnozVEAIYaeJ2Xe6n72Zj3W
AuAGbnfE9j7yzBVz+9KOZEd2DW7MF7Xns4Vn1/1y6W0h0RsXTq15LIXApJL760I=
=fCSX
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ