lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1354507769.2737.59.camel@falcor.watson.ibm.com>
Date:	Sun, 02 Dec 2012 23:09:29 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Rusty Russell <rusty@...tcorp.com.au>
Cc:	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, Mimi Zohar <zohar@...ibm.com>,
	David Howells <dhowells@...hat.com>
Subject: Re: [RFC][PATCH 2/2] modsig: differentiate between ephemeral and
 persistent key names

On Mon, 2012-12-03 at 11:56 +1030, Rusty Russell wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> writes:
> > Using the same name for ephemeral and "persistent" keys results
> > in deleting the "persistent" key.  This patch renames the normal
> > kbuild asymmetric key pair name to "default_signing_key" and the
> > ephemeral key pair name to "ephemeral_signing_key".
> 
> I like the idea: I was always uncomfortable with the mixing of
> persistent and temporary keys.  But it's a bit misguided, because surely
> persistent keys don't belong in the build tree at all.

The original intent of the patch was to differentiate between a key
generated as part of the kbuild process, that exists for an indefinite
period of time, versus an ephemeral key, which is created and
immediately thrown away, after signing the kernel modules.

> 
> How about we do something like:
> 
> # Default to temporary keys
> MODKEYPREFIX = ./temp_signing_key
> 
> MODSECKEY = $(MODKEYPREFIX).priv
> MODPUBKEY = $(MODKEYPREFIX).x509
> 
> Then encourage people to do:
> 
>         make MODKEYPREFIX=...

Although your suggestion addresses a different use case scenario, I like
it a lot.  Fortunately, it also works for the above ephemeral use case.
The default temporary key would be persistent across builds, while an
ephemeral key could be defined as "MODKEYPREFIX
= ./ephemeral_signing_key".

My main concern is having to force modsign_pubkey to be rebuilt each and
every time, since there is no way of knowing which key was previously
included.

> We could also use a config option to set the path, but that's probably
> less convenient.

Definitely less convenient.  I assume the normal use case for developers
would be multiple builds, followed by an install.  Each build shouldn't
require regenerating a new keypair, nor at the point that we're ready to
sign and install the kernel modules and image, do we want to change
the .config, which would result in additional, as you put it, root owned
turds.

thanks,

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ