| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+5PVA7fAtL3BEOjf8Ku1SBRbMvnneRXLkb=VRSpHkG=Bk7tzQ@mail.gmail.com> Date: Wed, 17 Oct 2012 20:13:34 -0400 From: Josh Boyer <jwboyer@...il.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: David Miller <davem@...emloft.net>, Rusty Russell <rusty@...tcorp.com.au>, David Howells <dhowells@...hat.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: RFC: sign the modules at install time On Wed, Oct 17, 2012 at 7:21 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Wed, Oct 17, 2012 at 4:07 PM, Linus Torvalds > <torvalds@...ux-foundation.org> wrote: >> >> Hmm. It *should* work for them too, because the debuginfo modules stay >> around in the object tree, and never get stripped there. None of this >> is different from what we used to do before: we stripped the modules >> as we copied them to /lib/modules (where the RPM build obviously would >> have that $RPM_BUILD_ROOT prefix on the module install path). > > Ok, I read your description of the odd way fedora builds debuginfo kernels. > > I actually think that works fine too. I do agree with adding a "make > sign_modules" target, but it would *re-sign* them after "make > modules_install" has already signed them once. > > Why? > > What you'd do for your debuginfo requirements is: > > - do the normal kernel build, and install modules (with *my* patch, > which does signing at install time) > > This does the normal (conditionally stripped - you just wouldn't > strip them, but you cannot have done that before either) modules, > installs them, and signs then. > > Ta-daa, you have your debuginfo modules installed, and they are > signed. Create the debuginfo rpm. > > - now, strip the modules. This obviously destroys the signatures find-debuginfo.sh is what creates the debuginfo RPM. It strips the module debug symbols (and the signature), so there's no need to further strip things at this point. > - do the extra "make sign_modules" that you added, that re-signs the > already installed modules, and now you can create the non-debuginfo > rpm. OK, sounds sane at first glance. > Voila. "make modules_install" does the right thing for everybody - > including normal users. And it does so without the incredible baroque > code. And no normal user is expected to ever use the new "make > sign_modules", but it allows for the Fedora "we'll want to sign them > again". > > That said, you could even just do "make sign-modules" on your own > without any makefile targets. After all, it would just be something > like > > find $MODULEDIR --name '*.ko | while read i; do script/sign-file > keyfile x509file $i; done > > so it could even be done in that rpm script directly. Sure, as long as the script is in the kernel tree (or at least I would like it to be). When I wrote the patch, _none_ of the modsign stuff was in-tree at the time so I had to carry and adapt things as the code changed along the way. In my defense, I did say I have to clean it up still. :) josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists