lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 27 Sep 2021 22:08:35 +0200
From:   Andreas Rammhold <andreas@...mhold.de>
To:     Mimi Zohar <zohar@...ux.ibm.com>
Cc:     Andreas Rammhold <andreas@...mhold.de>,
        Ahmad Fatoum <a.fatoum@...gutronix.de>,
        James Bottomley <jejb@...ux.ibm.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        David Howells <dhowells@...hat.com>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Sumit Garg <sumit.garg@...aro.org>,
        linux-integrity@...r.kernel.org, keyrings@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] KEYS: trusted: Fix trusted key backends when building
 as module

On 07:27 27.09.21, Mimi Zohar wrote:
> On Mon, 2021-09-27 at 10:51 +0200, Andreas Rammhold wrote:
> > On 09:47 13.09.21, Ahmad Fatoum wrote:
> > > Dear trusted key maintainers,
> > > 
> > > On 30.07.21 03:28, Andreas Rammhold wrote:
> > > > Before this commit the kernel could end up with no trusted key sources
> > > > even though both of the currently supported backends (TPM and TEE) were
> > > > compiled as modules. This manifested in the trusted key type not being
> > > > registered at all.
> > > > 
> > > > When checking if a CONFIG_… preprocessor variable is defined we only
> > > > test for the builtin (=y) case and not the module (=m) case. By using
> > > > the IS_REACHABLE() macro we do test for both cases.
> > > > 
> > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework")
> > > > Signed-off-by: Andreas Rammhold <andreas@...mhold.de>
> > > > Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>
> > > Does anyone intend to pick this up?
> > 
> > Did this end up in any tree by now? I am wondering if I should resend
> > the patch instead. Perhaps it was just overlooked?
> 
> For EVM environments only using trusted and encrypted keys, not file
> signatures, the trusted key is needed to decrypt the "master" key in
> order to verify kernel modules.

So what you are saying is that right now (before this patch & after this
patch) you could compile a kernel that wouldn't be able to load any
modules when the trusted keychain part is built as module?


Andi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ