From: Rusty Russell <rusty@rustcorp.com.au>
To: Josh Boyer <jwboyer@redhat.com>
Cc: "Frank Ch. Eigler" <fche@redhat.com>,
dhowells@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] MODSIGN: Don't taint unless signature enforcing is enabled
Date: Mon, 07 Jan 2013 11:39:47 +1030 [thread overview]
Message-ID: <87bod14x44.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20130104191205.GD27554@hansolo.jdub.homelinux.org>
Josh Boyer <jwboyer@redhat.com> writes:
> With module signing enabled but not in enforcing mode, we don't consider
> unsigned modules to be an error. However, we only mark sig_ok as true if
> a signature verified. This causes the module to be tainted with the
> TAINT_FORCED_MODULE flag.
Wait, what? So, what does CONFIG_MODULE_SIG=y with MODULE_SIG_FORCE=n
mean? Why not just call that CONFIG_USELESS_BLOAT? :)
> That in turn taints the kernel, which also disables lockdep.
Yeah, lockdep is oversensitive. This has been argued before, take it up
with Ingo. Perhaps we need a taint flag bit to indicate that lockdep
should actually be disabled?
> Tainting the module and kernel when we don't consider something to be an
> error seems excessive. This marks sig_ok as true if we aren't in enforcing
> mode.
If we were to do this, please follow Plauger's Law: "Don't patch bad
code - rewrite it."
In this case, rip out the now-useless sig_ok field.
Thanks,
Rusty.
> diff --git a/kernel/module.c b/kernel/module.c
> index 250092c..a50172e 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2443,8 +2443,10 @@ static int module_sig_check(struct load_info *info)
> if (err < 0 && fips_enabled)
> panic("Module verification failed with error %d in FIPS mode\n",
> err);
> - if (err == -ENOKEY && !sig_enforce)
> + if (err == -ENOKEY && !sig_enforce) {
> + info->sig_ok = true;
> err = 0;
> + }
>
> return err;
> }
> --
> 1.8.0.1
next prev parent reply other threads:[~2013-01-07 1:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-04 19:12 [PATCH] MODSIGN: Don't taint unless signature enforcing is enabled Josh Boyer
2013-01-07 1:09 ` Rusty Russell [this message]
2013-01-07 14:58 ` Josh Boyer
2013-01-15 19:09 ` [PATCH] MODSIGN: Add TAINT_NOKEY_MODULE Josh Boyer
2013-01-16 3:34 ` Rusty Russell
2013-01-16 13:21 ` Josh Boyer
2013-01-16 19:37 ` Josh Boyer
2013-01-17 0:57 ` Rusty Russell
2013-01-17 15:02 ` Dave Jones
[not found] ` <8738xvxv55.fsf@rustcorp.com.au>
2013-01-21 0:19 ` Frank Ch. Eigler
2013-01-21 1:50 ` Rusty Russell
2013-01-21 0:46 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bod14x44.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=dhowells@redhat.com \
--cc=fche@redhat.com \
--cc=jwboyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox