lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 28 Aug 2023 16:31:24 +0200
From:   Nicolas Schier <nicolas@...sle.eu>
To:     Masahiro Yamada <masahiroy@...nel.org>
Cc:     linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>
Subject: Re: [PATCH 7/8] kbuild: support 'make modules_sign' with
 CONFIG_MODULE_SIG_ALL=n

On Wed 23 Aug 2023 20:50:47 GMT, Masahiro Yamada wrote:
> Commit d890f510c8e4 ("MODSIGN: Add modules_sign make target") introduced
> 'make modules_sign' to manually sign modules.
> 
> Some time later, commit d9d8d7ed498e ("MODSIGN: Add option to not sign
> modules during modules_install") introduced CONFIG_MODULE_SIG_ALL.
> If it was disabled, mod_sign_cmd was set to no-op ('true' command).
> It affected not only 'make modules_install' but also 'make modules_sign'.
> With CONFIG_MODULE_SIG_ALL=n, 'make modules_install' did not sign modules
> and 'make modules_sign' could not sign modules either.
> 
> Kbuild has kept that behavior, and nobody has complained about it, but
> I think it is weird.
> 
> CONFIG_MODULE_SIG_ALL=n should turn off signing only for modules_install.
> If users want to sign modules manually, they should be allowed to use
> 'make modules_sign'.
> 
> Signed-off-by: Masahiro Yamada <masahiroy@...nel.org>
> ---

Reviewed-by: Nicolas Schier <nicolas@...sle.eu>

> 
>  scripts/Makefile.modinst | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
> index dc7c54669082..33d424a3f265 100644
> --- a/scripts/Makefile.modinst
> +++ b/scripts/Makefile.modinst
> @@ -106,7 +106,6 @@ endif
>  # Signing
>  # Don't stop modules_install even if we can't sign external modules.
>  #
> -ifeq ($(CONFIG_MODULE_SIG_ALL),y)
>  ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
>  sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
>  else
> @@ -115,13 +114,15 @@ endif
>  quiet_cmd_sign = SIGN    $@
>        cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@ \
>                   $(if $(KBUILD_EXTMOD),|| true)
> -else
> +
> +ifeq ($(modules_sign_only),)
> +
> +# During modules_install, modules are signed only when CONFIG_MODULE_SIG_ALL=y.
> +ifndef CONFIG_MODULE_SIG_ALL
>  quiet_cmd_sign :=
>        cmd_sign := :
>  endif
>  
> -ifeq ($(modules_sign_only),)
> -
>  $(dst)/%.ko: $(extmod_prefix)%.ko FORCE
>  	$(call cmd,install)
>  	$(call cmd,strip)
> -- 
> 2.39.2

-- 
Nicolas Schier
 
epost|xmpp: nicolas@...sle.eu          irc://oftc.net/nsc
↳ gpg: 18ed 52db e34f 860e e9fb  c82b 7d97 0932 55a0 ce7f
     -- frykten for herren er opphav til kunnskap --

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ