From: Rusty Russell <rusty@rustcorp.com.au>
To: David Howells <dhowells@redhat.com>
Cc: kyle@mcmartin.ca, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@linux-nfs.org
Subject: Re: [PATCH 00/29] Crypto keys and module signing [ver #4]
Date: Sat, 19 May 2012 10:23:05 +0930 [thread overview]
Message-ID: <87ipft3sb2.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20120510233901.4137.19023.stgit@warthog.procyon.org.uk>
On Fri, 11 May 2012 00:39:01 +0100, David Howells <dhowells@redhat.com> wrote:
>
> Hi Rusty,
>
> Here's my latest take on my module signing patch set. I've retained my
> strip-proof[*] signature-in-module concept, but I've shrunk the module
> verification code by nearly half. Its .text segment now stands at just over 2K
> in size for an x86_64 kernel.
Hi David!
I get it. Some management bigwig at RH has told you to get this
patch in, right? And you told them it'd had been Nacked, that the
maintainer had said it was never going in, and of course, that it was a
stupid idea and to give up on the idea of stripping modules after
signing, and just append a magic marker and the signature.
But they just wouldn't listen, would they? So you had to waste
your time polishing this turd, until you annoy me enough to get the kind
of flaming rejection which is visible from space and chars the eyeballs
of your manager so they understand.
Well, here it is. I even put it in caps for you!
NAK. THIS PATCH WILL NEVER, EVER GO IN. I AM NOT PUTTING CRAP IN THE
KERNEL BECAUSE RH CAN'T FIGURE OUT HOW TO PRODUCE STRIPPED VERSIONS OF
MODULES DURING BUILD. DON'T BE TOO PROUD OF THIS TECHNOLOGICAL TERROR
YOU'VE CONSTRUCTED.
I look forward to you updated patch series!
Rusty.
prev parent reply other threads:[~2012-05-19 0:53 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-10 23:39 [PATCH 00/29] Crypto keys and module signing [ver #4] David Howells
2012-05-10 23:39 ` [PATCH 01/29] MPILIB: Export some more symbols " David Howells
2012-05-10 23:39 ` [PATCH 02/29] KEYS: Move the key config into security/keys/Kconfig " David Howells
2012-05-10 23:39 ` [PATCH 03/29] KEYS: Announce key type (un)registration " David Howells
2012-05-10 23:39 ` [PATCH 04/29] KEYS: Reorganise keys Makefile " David Howells
2012-05-10 23:39 ` [PATCH 05/29] KEYS: Create a key type that can be used for general cryptographic operations " David Howells
2012-05-10 23:40 ` [PATCH 06/29] KEYS: Add signature verification facility " David Howells
2012-05-10 23:40 ` [PATCH 07/29] KEYS: Asymmetric public-key algorithm crypto key subtype " David Howells
2012-05-10 23:40 ` [PATCH 08/29] KEYS: RSA signature verification algorithm " David Howells
2012-05-10 23:40 ` [PATCH 09/29] Fix signature verification for shorter signatures " David Howells
2012-05-10 23:40 ` [PATCH 10/29] PGPLIB: PGP definitions (RFC 4880) " David Howells
2012-05-10 23:41 ` [PATCH 11/29] PGPLIB: Basic packet parser " David Howells
2012-05-10 23:41 ` [PATCH 12/29] PGPLIB: Signature " David Howells
2012-05-10 23:41 ` [PATCH 13/29] KEYS: PGP data " David Howells
2012-05-10 23:41 ` [PATCH 14/29] KEYS: PGP-based public key signature verification " David Howells
2012-05-10 23:41 ` [PATCH 15/29] KEYS: PGP format signature parser " David Howells
2012-05-10 23:41 ` [PATCH 16/29] KEYS: Provide a function to load keys from a PGP keyring blob " David Howells
2012-05-10 23:42 ` [PATCH 17/29] Provide macros for forming the name of an ELF note and its section " David Howells
2012-05-10 23:42 ` [PATCH 18/29] Guard check in module loader against integer overflow " David Howells
2012-05-10 23:42 ` [PATCH 19/29] MODSIGN: Add indications of module ELF types " David Howells
2012-05-10 23:42 ` [PATCH 20/29] MODSIGN: Provide gitignore and make clean rules for extra files " David Howells
2012-05-10 23:42 ` [PATCH 21/29] MODSIGN: Provide Documentation and Kconfig options " David Howells
2012-05-10 23:43 ` [PATCH 22/29] MODSIGN: Sign modules during the build process " David Howells
2012-05-10 23:43 ` [PATCH 23/29] MODSIGN: Module signature verification stub " David Howells
2012-05-10 23:43 ` [PATCH 24/29] MODSIGN: Provide module signing public keys to the kernel " David Howells
2012-05-10 23:43 ` [PATCH 25/29] MODSIGN: Check the ELF container " David Howells
2012-05-10 23:43 ` [PATCH 26/29] MODSIGN: Produce a filtered and canonicalised section list " David Howells
2012-05-10 23:43 ` [PATCH 27/29] MODSIGN: Create digest of module content and check signature " David Howells
2012-05-10 23:44 ` [PATCH 28/29] MODSIGN: Automatically generate module signing keys if missing " David Howells
2012-05-10 23:44 ` [PATCH 29/29] MODSIGN: Suppress some redundant ELF checks " David Howells
2012-05-11 13:30 ` [PATCH 00/29] Crypto keys and module signing " Tetsuo Handa
2012-05-11 14:32 ` David Howells
2012-05-11 16:17 ` David Howells
2012-05-19 0:53 ` Rusty Russell [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ipft3sb2.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=dhowells@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=kyle@mcmartin.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.