From: David Howells <dhowells@redhat.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: dhowells@redhat.com, "Jason A. Donenfeld" <Jason@zx2c4.com>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
kernel-hardening@lists.openwall.com,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
ebiggers3@gmail.com, Herbert Xu <herbert@gondor.apana.org.au>,
Kirill Marinushkin <k.marinushkin@gmail.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Ilhan Gurel <ilhan.gurel@gmail.com>,
security@kernel.org, stable <stable@vger.kernel.org>
Subject: [kernel-hardening] Re: Modular BIG_KEYS (was: Re: [PATCH v4] security/keys: rewrite all of big_key crypto)
Date: Mon, 02 Oct 2017 22:12:04 +0100 [thread overview]
Message-ID: <7444.1506978724@warthog.procyon.org.uk> (raw)
In-Reply-To: <CAMuHMdWd3ttH7Zdpo=bodkOBw2xiyeX_R9MhPf=Bcf0-QLhOiQ@mail.gmail.com>
Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> Now this has hit mainline, the "BIG_KEYS" Kconfig symbol appeared on my
> radar. Is there any reason this cannot be tristate?
It was tristate, but it got converted to bool:
commit 2eaf6b5dcafda2b8c22930eff7f48a364fce1741
KEYS: Make BIG_KEYS boolean
and then:
commit a1f2bdf338f15dbad10ee6362891ebf79244858b
security/keys: make big_key.c explicitly non-modular
> So to save kernel size, I wan't to save N, but for a distro kernel that might
> have Kerberos users, you currently need to say Y, while M would be nicer.
If you want to do that, you'll need to implement demand-loading of key type
modules.
Note that you'd end up using a minimum of a whole page as a module rather than
~2K if built in (I know, that's a compromise you have to decide on).
David
WARNING: multiple messages have this Message-ID (diff)
From: David Howells <dhowells@redhat.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: dhowells@redhat.com, "Jason A. Donenfeld" <Jason@zx2c4.com>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
kernel-hardening@lists.openwall.com,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
ebiggers3@gmail.com, Herbert Xu <herbert@gondor.apana.org.au>,
Kirill Marinushkin <k.marinushkin@gmail.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Ilhan Gurel <ilhan.gurel@gmail.com>,
security@kernel.org, stable <stable@vger.kernel.org>
Subject: Re: Modular BIG_KEYS (was: Re: [PATCH v4] security/keys: rewrite all of big_key crypto)
Date: Mon, 02 Oct 2017 21:12:04 +0000 [thread overview]
Message-ID: <7444.1506978724@warthog.procyon.org.uk> (raw)
In-Reply-To: <CAMuHMdWd3ttH7Zdpo=bodkOBw2xiyeX_R9MhPf=Bcf0-QLhOiQ@mail.gmail.com>
Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> Now this has hit mainline, the "BIG_KEYS" Kconfig symbol appeared on my
> radar. Is there any reason this cannot be tristate?
It was tristate, but it got converted to bool:
commit 2eaf6b5dcafda2b8c22930eff7f48a364fce1741
KEYS: Make BIG_KEYS boolean
and then:
commit a1f2bdf338f15dbad10ee6362891ebf79244858b
security/keys: make big_key.c explicitly non-modular
> So to save kernel size, I wan't to save N, but for a distro kernel that might
> have Kerberos users, you currently need to say Y, while M would be nicer.
If you want to do that, you'll need to implement demand-loading of key type
modules.
Note that you'd end up using a minimum of a whole page as a module rather than
~2K if built in (I know, that's a compromise you have to decide on).
David
WARNING: multiple messages have this Message-ID (diff)
From: dhowells@redhat.com (David Howells)
To: linux-security-module@vger.kernel.org
Subject: Modular BIG_KEYS (was: Re: [PATCH v4] security/keys: rewrite all of big_key crypto)
Date: Mon, 02 Oct 2017 22:12:04 +0100 [thread overview]
Message-ID: <7444.1506978724@warthog.procyon.org.uk> (raw)
In-Reply-To: <CAMuHMdWd3ttH7Zdpo=bodkOBw2xiyeX_R9MhPf=Bcf0-QLhOiQ@mail.gmail.com>
Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> Now this has hit mainline, the "BIG_KEYS" Kconfig symbol appeared on my
> radar. Is there any reason this cannot be tristate?
It was tristate, but it got converted to bool:
commit 2eaf6b5dcafda2b8c22930eff7f48a364fce1741
KEYS: Make BIG_KEYS boolean
and then:
commit a1f2bdf338f15dbad10ee6362891ebf79244858b
security/keys: make big_key.c explicitly non-modular
> So to save kernel size, I wan't to save N, but for a distro kernel that might
> have Kerberos users, you currently need to say Y, while M would be nicer.
If you want to do that, you'll need to implement demand-loading of key type
modules.
Note that you'd end up using a minimum of a whole page as a module rather than
~2K if built in (I know, that's a compromise you have to decide on).
David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: David Howells <dhowells@redhat.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: dhowells@redhat.com, "Jason A. Donenfeld" <Jason@zx2c4.com>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
kernel-hardening@lists.openwall.com,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
ebiggers3@gmail.com, Herbert Xu <herbert@gondor.apana.org.au>,
Kirill Marinushkin <k.marinushkin@gmail.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Ilhan Gurel <ilhan.gurel@gmail.com>,
security@kernel.org, stable <stable@vger.kernel.org>
Subject: Re: Modular BIG_KEYS (was: Re: [PATCH v4] security/keys: rewrite all of big_key crypto)
Date: Mon, 02 Oct 2017 22:12:04 +0100 [thread overview]
Message-ID: <7444.1506978724@warthog.procyon.org.uk> (raw)
In-Reply-To: <CAMuHMdWd3ttH7Zdpo=bodkOBw2xiyeX_R9MhPf=Bcf0-QLhOiQ@mail.gmail.com>
Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> Now this has hit mainline, the "BIG_KEYS" Kconfig symbol appeared on my
> radar. Is there any reason this cannot be tristate?
It was tristate, but it got converted to bool:
commit 2eaf6b5dcafda2b8c22930eff7f48a364fce1741
KEYS: Make BIG_KEYS boolean
and then:
commit a1f2bdf338f15dbad10ee6362891ebf79244858b
security/keys: make big_key.c explicitly non-modular
> So to save kernel size, I wan't to save N, but for a distro kernel that might
> have Kerberos users, you currently need to say Y, while M would be nicer.
If you want to do that, you'll need to implement demand-loading of key type
modules.
Note that you'd end up using a minimum of a whole page as a module rather than
~2K if built in (I know, that's a compromise you have to decide on).
David
next prev parent reply other threads:[~2017-10-02 21:12 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 7:14 [kernel-hardening] Modular BIG_KEYS (was: Re: [PATCH v4] security/keys: rewrite all of big_key crypto) Geert Uytterhoeven
2017-10-02 7:14 ` Geert Uytterhoeven
2017-10-02 7:14 ` Geert Uytterhoeven
2017-10-02 7:14 ` Geert Uytterhoeven
2017-10-02 17:01 ` [kernel-hardening] " Eric Biggers
2017-10-02 17:01 ` Eric Biggers
2017-10-02 17:01 ` Eric Biggers
2017-10-02 17:01 ` Eric Biggers
2017-10-03 9:04 ` [kernel-hardening] " David Howells
2017-10-03 9:04 ` David Howells
2017-10-03 9:04 ` David Howells
2017-10-03 9:04 ` David Howells
2017-10-02 21:12 ` David Howells [this message]
2017-10-02 21:12 ` David Howells
2017-10-02 21:12 ` David Howells
2017-10-02 21:12 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7444.1506978724@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=Jason@zx2c4.com \
--cc=ard.biesheuvel@linaro.org \
--cc=ebiggers3@gmail.com \
--cc=geert@linux-m68k.org \
--cc=herbert@gondor.apana.org.au \
--cc=ilhan.gurel@gmail.com \
--cc=k.marinushkin@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.