lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Aug 2017 13:22:59 -0700 From: Matthew Garrett <mjg59@...gle.com> To: Jessica Yu <jeyu@...nel.org> Cc: linux-kernel@...r.kernel.org, Rusty Russell <rusty@...tcorp.com.au>, ben@...adent.org.uk Subject: Re: Allow automatic kernel taint on unsigned module load to be disabled On Tue, Aug 29, 2017 at 10:56 AM, Jessica Yu <jeyu@...nel.org> wrote: > I understand what the patch is doing, what I don't yet understand is > _why_ you would want to remove the unsigned module taint when > CONFIG_MODULE_SIG is enabled. Which distributions are asking for this > exactly, and for what use cases? I find it a bit contradictory to have > CONFIG_MODULE_SIG enabled and at the same time expect the kernel to > behave as if the option wasn't enabled. Debian disable CONFIG_MODULE_SIG because of this additional taint (I've Cc:ed Ben who made this change). > I would really prefer not to add extra code to remove what is cosmetic > and still has informational/debug value. If the unsigned module taint > is for whatever reason that bothersome, why can't distro(s) carry a > 2-line patch removing the message and taint for those particular > setups where signatures are considered "irrelevant" even with > CONFIG_MODULE_SIG=y? If it's functionality that distributions want to patch out, it makes sense to provide them with a config option rather than forcing them to maintain a patch separately.
Powered by blists - more mailing lists