[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6727b467-e2fe-4981-fe77-b9ec3ebf8818@linux.alibaba.com>
Date: Mon, 12 Mar 2018 22:15:48 +0800
From: Jia Zhang <zhang.jia@...ux.alibaba.com>
To: Jessica Yu <jeyu@...nel.org>
Cc: linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 0/4] modsign enhancement
On 2018/3/12 下午9:28, Jessica Yu wrote:
> +++ Jia Zhang [08/03/18 12:26 +0800]:
>> This patch series allows to disable module validity enforcement
>> in runtime through /sys/kernel/security/modsign/enforce interface.
>>
>> Assuming CONFIG_MODULE_SIG_FORCE=y, here are the instructions to
>> disable the validity enforcement.
>>
>> # cat /sys/kernel/security/modsign/enforce
>> # echo -n 0 > data
>> # openssl smime -sign -nocerts -noattr -binary -in data \
>> -inkey <system_trusted_key> -signer <cert> -outform der \
>> -out /sys/kernel/security/modsign/enforce
>>
>> Now enable enforcement again on demand.
>>
>> # echo 1 > /sys/kernel/security/modsign/enforce
>>
>> Changelog:
>> v2:
>> - Support to disable validity enforcement in runtime.
>
> NAK - please use /sys/module/module/parameters/sig_enforce.
>
> And I would rather keep this parameter bool_enable_only, plain and simple.
> What use case do you have/why would you want to disable signature
> enforcement - after having enabled it - during runtime? None of this
> is explained nor justified in the cover letter.
Because there is no way to disable it such as module.no_sig_enforce when
MODULE_SIG_FORCE=y available unless re-compiling a kernel without this
enforcement. This is inconvenient a bit. IMA and SELinux both have
cmdline control, but modsign doesn't have.
Even we really have a module.no_sig_enforce in cmdline, runtime
disablement can be used to avoid machine reboot. Sometimes machine
reboot is expensive.
If you agree, I can implement the runtime disablement via
/sys/module/module/parameters/sig_enforce. Additionally, supporting
module.no_sig_enforce when MODULE_SIG_FORCE=y is another one to be
implemented.
Thanks,
Jia
>
> Thanks,
>
> Jessica
Powered by blists - more mailing lists