lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <27402.1422017769@warthog.procyon.org.uk>
Date:	Fri, 23 Jan 2015 12:56:09 +0000
From:	David Howells <dhowells@...hat.com>
To:	Alexander Holler <holler@...oftware.de>
Cc:	dhowells@...hat.com, Michal Marek <mmarek@...e.cz>,
	linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] modsign: provide option to automatically delete the key after modules were installed

Alexander Holler <holler@...oftware.de> wrote:

> 1. I have no idea about how distro maintainers do handle their private and
> public keys used to sign modules.

In Fedora and RHEL, at least, we use a one-off on-the-fly generated transient
key for each rpm build.

When a kernel is built by rpmbuild, the source directory is generated afresh
and a new key created each time.  In the build farms, the kernel build tree is
simply erased, private key and all, at the conclusion of the build.

We make no effort to retain the transient private key as (1) it would require
special handling for kernel builds to avoid leaking it, (2) it might impact
non-buildfarm builds, and (3) it's more secure that no one has the private
key.

One thing that you have to be careful of with your patch is that if you turn
it on during development, this will drain the entropy pool from which you get
random numbers.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ