lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6784.1438075731@warthog.procyon.org.uk>
Date:	Tue, 28 Jul 2015 10:28:51 +0100
From:	David Howells <dhowells@...hat.com>
To:	David Woodhouse <dwmw2@...radead.org>
Cc:	dhowells@...hat.com, Andy Lutomirski <luto@...nel.org>,
	jmorris@...ei.org, mcgrof@...il.com, keyrings@...ux-nfs.org,
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures

David Woodhouse <dwmw2@...radead.org> wrote:

> As part of the firmware signatures, if we are asked to check the
> filename then yes we should require it to be present *and* match. But
> if we aren't checking (which we can't for modules since we don't know
> what's being loaded), why require it to be present at all?

For firmware, that's in the next set of patches, at the tag
fwsign-pkcs7-20150720.

For modules we could require it not to be present since, as you say, there's
no way generally for the kernel check the module name requested.  The only
thing it could really do is to extract the expected name from the PKCS#7 and
compare it against the name in the modinfo structure *after* checking the
signature.  This would require passing the module name to sign-file too.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ