lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 4 May 2015 18:37:24 +0300
From:	Andrey Skvortsov <andrej.skvortzov@...il.com>
To:	maximilian attems <max@...o.at>
Cc:	Michal Marek <mmarek@...e.cz>, Ben Hutchings <ben@...adent.org.uk>,
	linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] builddeb: fix stripped module signatures if
 CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG_ALL are set

On 22 Apr, maximilian attems wrote:
> On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> > (added Max to Cc)
> > 
> > On 2015-03-16 09:20, Andrey Skvortsov wrote:
> > > If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> > > automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> > > tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> > > is NOT set. In that case deb-package contains signed modules.
> > > 
> > > But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> > > debug information. To do that, debug information from all modules
> > > is copied into separate files by objcopy. And loadable kernel modules are
> > > stripped afterwards. Stripping removes previously (during modules_install)
> > > added signatures from loadable kernel modules. Therefore final deb-package
> > > contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> > > 
> > > This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> > > to solve this problem.
> > > 
> > > Signed-off-by: Andrey Skvortsov <andrej.skvortzov@...il.com>
> > 
> > Max, Ben, are you fine with this patch? It looks OK to me, the
> > modules_sign target has been added for this very purpose.
> > 
> 
> Ben seems busy with the release, so jumping in. The patch looks
> perfect to me.
> 
> Acked-by: maximilian attems <max@...o.at>
> 
Maximilian, thanks for the review.

Michal, are we waiting for Ben's acknowledge too?

-- 
Best regards,
Andrey Skvortsov

Secure e-mail with gnupg: See http://www.gnupg.org/
PGP Key ID: 0x57A3AEAD



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ