From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Morris Subject: Re: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down Date: Fri, 9 Aug 2019 08:43:05 +1000 (AEST) Message-ID: References: <20190731221617.234725-1-matthewgarrett@google.com> <20190731221617.234725-5-matthewgarrett@google.com> <20190801142157.GA5834@linux-8ccs> <20190808100059.GA30260@linux-8ccs> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Matthew Garrett Cc: Jessica Yu , LSM List , Linux Kernel Mailing List , Linux API , David Howells , Kees Cook List-Id: linux-api@vger.kernel.org On Thu, 8 Aug 2019, Matthew Garrett wrote: > On Thu, Aug 8, 2019 at 3:01 AM Jessica Yu wrote: > > If you're confident that a hard dependency is not the right approach, > > then perhaps we could add a comment in the Kconfig (You could take a > > look at the comment under MODULE_SIG_ALL in init/Kconfig for an > > example)? If someone is configuring the kernel on their own then it'd > > be nice to let them know, otherwise having a lockdown kernel without > > module signatures would defeat the purpose of lockdown no? :-) > > James, what would your preference be here? Jessica is right that not > having CONFIG_MODULE_SIG enabled means lockdown probably doesn't work > as expected, but tying it to the lockdown LSM seems inappropriate when > another LSM could be providing lockdown policy and run into the same > issue. Should this just be mentioned in the CONFIG_MODULE_SIG Kconfig > help? I agree and yes mention it in the help. A respin of just this patch is fine. -- James Morris