lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFwPaSB3a8XNxWMyKhwXVJtdOBO-o8-rz3O-vTbwv8K2Tg@mail.gmail.com>
Date:	Wed, 17 Oct 2012 13:36:49 -0700
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	David Miller <davem@...emloft.net>,
	Rusty Russell <rusty@...tcorp.com.au>,
	David Howells <dhowells@...hat.com>
Cc:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: RFC: sign the modules at install time

This was based on the complaint from Davem that the "make
allmodconfig" build got way slower because module signing takes a
while.

And quite frankly, the whole "extra strip and sign" thing at modpost
time was just nasty ugly code.

Why don't we do something *much* simpler? We already have a
conditional stripping of modules (that whole INSTALL_MOD_STRIP) logic,
and it really simplifies everything if we just do something very
similar for the signing of modules. At "make modules_install" time,
exactly like the stripping is done.

Sure, it means that if you want to load modules directly from your
kernel build tree (without installing them), you'd better be running a
kernel that doesn't need the signing (or you need to sign things
explicitly). But seriously, nobody cares. If you are building a module
after booting the kernel with the intention of loading that modified
module, you aren't going to be doing that whole module signing thing
*anyway*. Signed modules make sense when building the kernel and
module together, so signing them as we install the kernel and module
is just sensible.

And it really is much simpler as shown by the diffstat: 13
insertions(+), 78 deletions(-).

It seems to work for me from my (very very limited) testing. Comments?

           Linus

Download attachment "patch.diff" of type "application/octet-stream" (5213 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ