[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180327221137.d7fhboicw2wi3a52@redbean>
Date: Wed, 28 Mar 2018 00:11:37 +0200
From: Jessica Yu <jeyu@...nel.org>
To: Jia Zhang <zhang.jia@...ux.alibaba.com>
Cc: Rusty Russell <rusty@...tcorp.com.au>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 0/3][RESEND] modsign enhancement
+++ Jia Zhang [24/03/18 10:59 +0800]:
>This patch series allows to disable module validity enforcement
>in runtime through the control switch located in securityfs.
>
>In order to keep /sys/module/module/parameters/sig_enforce simple,
>the disablement switch is located at
>/sys/kernel/security/modsign/disable_enforce.
>
>Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to
>test this control switch.
>
># cat /sys/module/module/parameters/sig_enforce
>N
># echo 1 > /sys/module/module/parameters/sig_enforce
># cat /sys/module/module/parameters/sig_enforce
>Y
># echo -n 0 > no_sig_enforce
># openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \
> -inkey <system_trusted_key> -signer <cert> -outform der \
> -out /sys/kernel/security/modsign/disable_enforce
># cat /sys/module/module/parameters/sig_enforce
>N
I'm not convinced we need this. And neither the use case nor the
motivation is explained in the cover letter :-(
The way I see it - the only time you'd actually use this is in the
situation where you have *already* enabled sig_enforce, and then later
you change your mind - meaning you wanted to load unsigned modules
after all. And if you ever plan on loading unsigned modules, why would
you have enabled sig_enforce in the first place? If you want to keep
the option of loading unsigned modules, don't have sig_enforce or
CONFIG_MODULE_SIG_FORCE enabled.
[ CC'd Rusty in case he has some thoughts on this ]
Jessica
Powered by blists - more mailing lists