Re: [PATCH] MODSIGN: Add TAINT_NOKEY_MODULE

Re: [PATCH] MODSIGN: Add TAINT_NOKEY_MODULE

[Frank Ch. Eigler]

Hi -

> [...]
> -	add_taint(TAINT_DIE);
> +	add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE);
> [...]

If "UNRELIABLE" a good way to describe it - not DANGEROUS or
COUNTERPRODUCTIVE or something, then maybe lockdep *can* produce
reasonable results following such a taint.  If the results are merely
suspect, could lockdep reports include the taint report, but otherwise
keep working?

- FChE

Re: [PATCH] MODSIGN: Add TAINT_NOKEY_MODULE

[Rusty Russell]

"Frank Ch. Eigler" <fche@redhat.com> writes:
> Hi -
>
>> [...]
>> -	add_taint(TAINT_DIE);
>> +	add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE);
>> [...]
>
> If "UNRELIABLE" a good way to describe it - not DANGEROUS or
> COUNTERPRODUCTIVE or something, then maybe lockdep *can* produce
> reasonable results following such a taint.  If the results are merely
> suspect, could lockdep reports include the taint report, but otherwise
> keep working?

git blame is your friend here:

commit 2c16e9c888985761511bd1905b00fb271169c3c0
Author: Arjan van de Ven <arjan@linux.intel.com>
Date:   Mon Jul 10 04:45:42 2006 -0700

    [PATCH] lockdep: disable lock debugging when kernel state becomes untrusted
    
    Disable lockdep debugging in two situations where the integrity of the
    kernel no longer is guaranteed: when oopsing and when hitting a
    tainting-condition.  The goal is to not get weird lockdep traces that don't
    make sense or are otherwise undebuggable, to not waste time.
    
    Lockdep assumes that the previous state it knows about is valid to operate,
    which is why lockdep turns itself off after the first violation it reports,
    after that point it can no longer make that assumption.
    
    A kernel oops means that the integrity of the kernel compromised; in
    addition anything lockdep would report is of lesser importance than the
    oops.
    
    All the tainting conditions are of similar integrity-violating nature and
    also make debugging/diagnosing more difficult.
    
    Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>

Cheers,
Rusty.

Re: [PATCH] MODSIGN: Add TAINT_NOKEY_MODULE

[Rafael J. Wysocki]

On Monday, January 21, 2013 10:30:22 AM Rusty Russell wrote:
> Dave Jones <davej@redhat.com> writes:
> > On Thu, Jan 17, 2013 at 11:27:27AM +1030, Rusty Russell wrote:
> >  
> >  > taint: add explicit flag to show whether lock dep is still OK.
> >  > 
> >  > Fix up all callers as they were before, with make one change: an
> >  > unsigned module taints the kernel, but doesn't turn off lockdep.
> >  > 
> >  > Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
> >  
> > This made my brain itch a little until I got to the bottom of the
> > patch and saw the new definition of add_taint.  Perhaps instead of
> > false/true, we have LOCKDEP_LIVES/LOCKDEP_DIES or similar defines
> > to make it clearer what's actually happening without having to
> > go read the function ?
> 
> The reason I didn't do that is because it's theoretically more than
> lockdep: it's anything which relies on kernel integrity.
> 
> Then I got the true/false thing mixed up myself, so I think you're right
> :)
> 
> BTW, ACPI people: those TAINT_OVERRIDDEN_ACPI_TABLE taints were
> disabling lockdep: is that overzealous?

I think so, although it's quite difficult to say what the intention was at
this point.

Thanks,
Rafael


-- 
I speak only for myself.
Rafael J. Wysocki, Intel Open Source Technology Center.