lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87bod14x44.fsf@rustcorp.com.au>
Date:	Mon, 07 Jan 2013 11:39:47 +1030
From:	Rusty Russell <rusty@...tcorp.com.au>
To:	Josh Boyer <jwboyer@...hat.com>
Cc:	"Frank Ch. Eigler" <fche@...hat.com>, dhowells@...hat.com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] MODSIGN: Don't taint unless signature enforcing is enabled

Josh Boyer <jwboyer@...hat.com> writes:
> With module signing enabled but not in enforcing mode, we don't consider
> unsigned modules to be an error.  However, we only mark sig_ok as true if
> a signature verified.  This causes the module to be tainted with the
> TAINT_FORCED_MODULE flag.

Wait, what?  So, what does CONFIG_MODULE_SIG=y with MODULE_SIG_FORCE=n
mean?  Why not just call that CONFIG_USELESS_BLOAT? :)

>  That in turn taints the kernel, which also disables lockdep.

Yeah, lockdep is oversensitive.  This has been argued before, take it up
with Ingo.  Perhaps we need a taint flag bit to indicate that lockdep
should actually be disabled?

> Tainting the module and kernel when we don't consider something to be an
> error seems excessive.  This marks sig_ok as true if we aren't in enforcing
> mode.

If we were to do this, please follow Plauger's Law: "Don't patch bad
code - rewrite it."

In this case, rip out the now-useless sig_ok field.

Thanks,
Rusty.

> diff --git a/kernel/module.c b/kernel/module.c
> index 250092c..a50172e 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2443,8 +2443,10 @@ static int module_sig_check(struct load_info *info)
>  	if (err < 0 && fips_enabled)
>  		panic("Module verification failed with error %d in FIPS mode\n",
>  		      err);
> -	if (err == -ENOKEY && !sig_enforce)
> +	if (err == -ENOKEY && !sig_enforce) {
> +		info->sig_ok = true;
>  		err = 0;
> +	}
>  
>  	return err;
>  }
> -- 
> 1.8.0.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ