lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <24feb895-eae1-5b9e-47d8-9ee9851710cc@infradead.org>
Date:   Thu, 22 Apr 2021 19:57:37 -0700
From:   Randy Dunlap <rdunlap@...radead.org>
To:     Nayna Jain <nayna@...ux.ibm.com>, linux-integrity@...r.kernel.org,
        keyrings@...r.kernel.org
Cc:     linux-security-module@...r.kernel.org,
        David Howells <dhowells@...hat.com>,
        Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
        Stefan Berger <stefanb@...ux.ibm.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        David Woodhouse <dwmw2@...radead.org>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        Arnd Bergmann <arnd@...nel.org>,
        Stephen Rothwell <sfr@...b.auug.org.au>
Subject: Re: [PATCH] ima: ensure IMA_APPRAISE_MODSIG has necessary
 dependencies

On 4/22/21 6:16 PM, Nayna Jain wrote:
> IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel
> and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build
> break.
> 
> Ensure the build time kernel signing key is only generated if both
> IMA_APPRAISE_MODSIG and MODULES are enabled.
> 
> Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key") 
> Reported-by: Randy Dunlap <rdunlap@...radead.org> 
> Reported-by: Stephen Rothwell <sfr@...b.auug.org.au>
> Signed-off-by: Nayna Jain <nayna@...ux.ibm.com>

Works For Me. Thanks.

Acked-by: Randy Dunlap <rdunlap@...radead.org> # build-tested

> ---
>  certs/Kconfig               | 2 +-
>  certs/Makefile              | 2 ++
>  certs/system_certificates.S | 3 ++-
>  3 files changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/certs/Kconfig b/certs/Kconfig
> index 48675ad319db..e4d00348fd73 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -4,7 +4,7 @@ menu "Certificates for signature checking"
>  config MODULE_SIG_KEY
>  	string "File name or PKCS#11 URI of module signing key"
>  	default "certs/signing_key.pem"
> -	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
> +	depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
>  	help
>           Provide the file name of a private key/certificate in PEM format,
>           or a PKCS#11 URI according to RFC7512. The file should contain, or
> diff --git a/certs/Makefile b/certs/Makefile
> index e3185c57fbd8..2f369d6aa494 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -36,8 +36,10 @@ ifeq ($(CONFIG_MODULE_SIG),y)
>  endif
>  
>  ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +ifeq ($(CONFIG_MODULES),y)
>  	SIGN_KEY = y
>  endif
> +endif
>  
>  ifdef SIGN_KEY
>  ###############################################################################
> diff --git a/certs/system_certificates.S b/certs/system_certificates.S
> index dcad27ea8527..e1645e6f4d97 100644
> --- a/certs/system_certificates.S
> +++ b/certs/system_certificates.S
> @@ -9,7 +9,8 @@
>  system_certificate_list:
>  __cert_list_start:
>  __module_cert_start:
> -#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
> +#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \
> +			       && defined(CONFIG_MODULES))
>  	.incbin "certs/signing_key.x509"
>  #endif
>  __module_cert_end:
> 


-- 
~Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ