| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Mar 2018 10:59:46 +0800
From: Jia Zhang <zhang.jia@...ux.alibaba.com>
To: jeyu@...nel.org
Cc: linux-kernel@...r.kernel.org, zhang.jia@...ux.alibaba.com
Subject: [PATCH v3 0/3][RESEND] modsign enhancement
This patch series allows to disable module validity enforcement
in runtime through the control switch located in securityfs.
In order to keep /sys/module/module/parameters/sig_enforce simple,
the disablement switch is located at
/sys/kernel/security/modsign/disable_enforce.
Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to
test this control switch.
# cat /sys/module/module/parameters/sig_enforce
N
# echo 1 > /sys/module/module/parameters/sig_enforce
# cat /sys/module/module/parameters/sig_enforce
Y
# echo -n 0 > no_sig_enforce
# openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \
-inkey <system_trusted_key> -signer <cert> -outform der \
-out /sys/kernel/security/modsign/disable_enforce
# cat /sys/module/module/parameters/sig_enforce
N
Changelog:
v3:
- The control switch now doesn't support showing the status of sig_enforce.
v2:
- Support to disable validity enforcement in runtime.
Powered by blists - more mailing lists