From: Rusty Russell <rusty@rustcorp.com.au>
To: Josh Boyer <jwboyer@redhat.com>
Cc: "Frank Ch. Eigler" <fche@redhat.com>,
dhowells@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] MODSIGN: Don't taint unless signature enforcing is enabled
Date: Mon, 07 Jan 2013 11:39:47 +1030 [thread overview]
Message-ID: <87bod14x44.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20130104191205.GD27554@hansolo.jdub.homelinux.org>
Josh Boyer <jwboyer@redhat.com> writes:
> With module signing enabled but not in enforcing mode, we don't consider
> unsigned modules to be an error. However, we only mark sig_ok as true if
> a signature verified. This causes the module to be tainted with the
> TAINT_FORCED_MODULE flag.
Wait, what? So, what does CONFIG_MODULE_SIG=y with MODULE_SIG_FORCE=n
mean? Why not just call that CONFIG_USELESS_BLOAT? :)
> That in turn taints the kernel, which also disables lockdep.
Yeah, lockdep is oversensitive. This has been argued before, take it up
with Ingo. Perhaps we need a taint flag bit to indicate that lockdep
should actually be disabled?
> Tainting the module and kernel when we don't consider something to be an
> error seems excessive. This marks sig_ok as true if we aren't in enforcing
> mode.
If we were to do this, please follow Plauger's Law: "Don't patch bad
code - rewrite it."
In this case, rip out the now-useless sig_ok field.
Thanks,
Rusty.
> diff --git a/kernel/module.c b/kernel/module.c
> index 250092c..a50172e 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2443,8 +2443,10 @@ static int module_sig_check(struct load_info *info)
> if (err < 0 && fips_enabled)
> panic("Module verification failed with error %d in FIPS mode\n",
> err);
> - if (err == -ENOKEY && !sig_enforce)
> + if (err == -ENOKEY && !sig_enforce) {
> + info->sig_ok = true;
> err = 0;
> + }
>
> return err;
> }
> --
> 1.8.0.1
next prev parent reply other threads:[~2013-01-07 1:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-04 19:12 [PATCH] MODSIGN: Don't taint unless signature enforcing is enabled Josh Boyer
2013-01-07 1:09 ` Rusty Russell [this message]
2013-01-07 14:58 ` Josh Boyer
2013-01-15 19:09 ` [PATCH] MODSIGN: Add TAINT_NOKEY_MODULE Josh Boyer
2013-01-16 3:34 ` Rusty Russell
2013-01-16 13:21 ` Josh Boyer
2013-01-16 19:37 ` Josh Boyer
2013-01-17 0:57 ` Rusty Russell
2013-01-17 15:02 ` Dave Jones
[not found] ` <8738xvxv55.fsf@rustcorp.com.au>
2013-01-21 0:19 ` Frank Ch. Eigler
2013-01-21 1:50 ` Rusty Russell
2013-01-21 0:46 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bod14x44.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=dhowells@redhat.com \
--cc=fche@redhat.com \
--cc=jwboyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.