From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
David Howells <dhowells@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [RFC PATCH] Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE
Date: Sun, 16 Feb 2014 23:58:21 +0000 (UTC) [thread overview]
Message-ID: <1459243542.25793.1392595101293.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <878uteecu0.fsf@rustcorp.com.au>
----- Original Message -----
> From: "Rusty Russell" <rusty@rustcorp.com.au>
> To: "Steven Rostedt" <rostedt@goodmis.org>
> Cc: "Ingo Molnar" <mingo@kernel.org>, "Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
> linux-kernel@vger.kernel.org, "Ingo Molnar" <mingo@redhat.com>, "Thomas Gleixner" <tglx@linutronix.de>, "David
> Howells" <dhowells@redhat.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>
> Sent: Thursday, February 13, 2014 7:51:19 PM
> Subject: Re: [RFC PATCH] Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE
>
> Steven Rostedt <rostedt@goodmis.org> writes:
> > On Thu, 13 Feb 2014 13:54:42 +1030
> > Rusty Russell <rusty@rustcorp.com.au> wrote:
> >
> >
> >> I'm ambivalent towards out-of-tree modules, so not tempted unless I see
> >> a bug report indicating a concrete problem. Then we can discuss...
> >
> > As I replied in another email, this is a concrete problem, and affects
> > in-tree kernel modules.
> >
> > If you have the following in your .config:
> >
> > CONFIG_MODULE_SIG=y
> > # CONFIG_MODULE_SIG_FORCE is not set
> > # CONFIG_MODULE_SIG_ALL is not set
>
> This means you've set the "I will arrange my own module signing" config
> option:
>
> Sign all modules during make modules_install. Without this option,
> modules must be signed manually, using the scripts/sign-file tool.
>
> comment "Do not forget to sign required modules with scripts/sign-file"
> depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
>
> Then you didn't do that. You broke it, you get to keep both pieces.
>
> Again: is there an actual valid use case?
One use-case where this is biting us for in-tree modules is when a user or
developer recompile modules against a distribution kernel which has
CONFIG_MODULE_SIG set (and possibly CONFIG_MODULE_SIG_ALL), but do not
recompile the kernel per se. That user/developer might want to try out a
local modification to one of his modules (which is something within the
user's rights given by the GPL), or want to add tracepoints to a module to
figure out what is going wrong. It is then not possible to sign the
recompiled modules, since it makes no sense to expect distribution vendors
to ever distribute their private signing keys; that would defeat the whole
point of signing.
In those cases, when loaded in a kernel that is not enforcing module
signature, the recompiled modules will taint the kernel and modules with
"TAINT_FORCED_MODULE" (which is a lie: the modules can be loaded without
--force), and the tracepoints sitting in that module are silently ignored
(which is a bug).
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
next prev parent reply other threads:[~2014-02-16 23:58 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-10 23:23 [RFC PATCH] Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE Mathieu Desnoyers
2014-02-11 7:27 ` Ingo Molnar
2014-02-12 4:45 ` Steven Rostedt
2014-02-12 5:51 ` Mathieu Desnoyers
2014-02-13 3:24 ` Rusty Russell
2014-02-13 21:11 ` Steven Rostedt
2014-02-13 21:24 ` Steven Rostedt
2014-02-14 3:32 ` Mathieu Desnoyers
2014-02-14 0:51 ` Rusty Russell
2014-02-16 23:58 ` Mathieu Desnoyers [this message]
2014-02-20 15:30 ` Steven Rostedt
2014-02-20 23:09 ` Rusty Russell
2014-02-21 4:09 ` Steven Rostedt
2014-02-21 8:10 ` Johannes Berg
2014-02-26 2:51 ` Rusty Russell
2014-02-26 12:55 ` Mathieu Desnoyers
2014-02-13 15:10 ` Mathieu Desnoyers
2014-02-13 15:28 ` Steven Rostedt
2014-02-13 15:36 ` Frank Ch. Eigler
2014-02-13 15:44 ` Steven Rostedt
2014-02-13 21:42 ` Arend van Spriel
2014-02-13 15:41 ` Mathieu Desnoyers
2014-02-13 20:45 ` Steven Rostedt
2014-02-14 3:49 ` Mathieu Desnoyers
2014-02-24 15:54 ` Steven Rostedt
2014-02-24 16:55 ` Mathieu Desnoyers
2014-02-24 17:39 ` Steven Rostedt
2014-02-24 17:58 ` Mathieu Desnoyers
2014-02-24 18:25 ` Steven Rostedt
2014-02-26 19:55 ` Steven Rostedt
2014-02-26 2:53 ` Rusty Russell
2014-02-26 20:13 ` Steven Rostedt
2014-02-24 18:32 ` Mathieu Desnoyers
2014-02-24 19:10 ` Steven Rostedt
2014-02-26 14:23 ` Mathieu Desnoyers
2014-02-26 15:05 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1459243542.25793.1392595101293.JavaMail.zimbra@efficios.com \
--to=mathieu.desnoyers@efficios.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=rostedt@goodmis.org \
--cc=rusty@rustcorp.com.au \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox