From: Rusty Russell <rusty@rustcorp.com.au>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Howells <dhowells@redhat.com>,
kyle@mcmartin.ca, dmitry.kasatkin@intel.com,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@linux-nfs.org,
"Tim Abbott" <tabbott@ksplice.com>
Subject: Re: [PATCH 00/23] Crypto keys and module signing
Date: Tue, 05 Jun 2012 10:35:56 +0930 [thread overview]
Message-ID: <87wr3min4b.fsf@rustcorp.com.au> (raw)
In-Reply-To: <1338814071.4044.19.camel@falcor>
On Mon, 04 Jun 2012 08:47:51 -0400, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> On Mon, 2012-06-04 at 11:01 +0930, Rusty Russell wrote:
> > On Fri, 25 May 2012 16:42:19 +0100, David Howells <dhowells@redhat.com> wrote:
> > >
> > > Hi Rusty,
> > >
> > > If you prefer to have userspace extract the module signature and pass it in
> > > uargs, here's a tree that will do that:
> > >
> > > http://git.kernel.org/?p=linux/kernel/git/dhowells/linux-modsign.git;a=shortlog;h=refs/heads/modsign-uarg
> >
> > OK, there's merit in this approach: it certainly moves the argument
> > about how to encode the signature out of my backyard :)
> >
> > Should we just bite the bullet and create a new syscall:
> >
> > SYSCALL_DEFINE5(init_module2, void __user *, umod,
> > unsigned long, len, const char __user *, uargs,
> > unsigned int, siglen, const char __user *, sig)
> >
> > But I'm easily swayed if you prefer the current approach.
> >
> > Thanks,
> > Rusty.
>
> If you're really considering creating a new syscall, then perhaps this
> discussion should include passing the file descriptor instead of a
> buffer and signature. As I said https://lkml.org/lkml/2012/5/25/261, I
> don't know the historical reasons for passing a buffer instead of the
> file descriptor itself. If the file descriptor was passed, it would
> allow IMA-appraisal, which is in the process of being upstreamed, to
> verify and enforce file data and metadata integrity like on the other
> hooks open, execve, and mmap.
It's flexible. Compressed modules, for example. And who knew if we
would be runtime generating modules? But I don't think even the ksplice
guys generate modules on the fly for insertion.
modprobe has --force-vermagic and --force-modversion, but frankly that
could be replaced by a single "force" flag handed to the kernel.
If there's real benefit, it could be done. Do we still want a separate
signature blob?
SYSCALL_DEFINE5(init_module_fd,
int, fd,
unsigned int, flags,
const char *__user *, uargs,
unsigned int, siglen,
const char __user *, sig);
Cheers,
Rusty.
next prev parent reply other threads:[~2012-06-05 1:07 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-22 23:02 [PATCH 00/23] Crypto keys and module signing David Howells
2012-05-22 23:02 ` [PATCH 01/23] Guard check in module loader against integer overflow David Howells
2012-05-22 23:02 ` [PATCH 02/23] KEYS: Move the key config into security/keys/Kconfig David Howells
2012-05-22 23:02 ` [PATCH 03/23] KEYS: Announce key type (un)registration David Howells
2012-05-22 23:02 ` [PATCH 04/23] KEYS: Reorganise keys Makefile David Howells
2012-05-22 23:02 ` [PATCH 05/23] KEYS: Create a key type that can be used for general cryptographic operations David Howells
2012-05-22 23:03 ` [PATCH 06/23] KEYS: Add signature verification facility David Howells
2012-05-22 23:03 ` [PATCH 07/23] KEYS: Asymmetric public-key algorithm crypto key subtype David Howells
2012-05-22 23:03 ` [PATCH 08/23] KEYS: RSA signature verification algorithm David Howells
2012-05-22 23:03 ` [PATCH 09/23] Fix signature verification for shorter signatures David Howells
2012-05-22 23:03 ` [PATCH 10/23] PGPLIB: PGP definitions (RFC 4880) David Howells
2012-05-22 23:03 ` [PATCH 11/23] PGPLIB: Basic packet parser David Howells
2012-05-22 23:03 ` [PATCH 12/23] PGPLIB: Signature parser David Howells
2012-05-22 23:03 ` [PATCH 13/23] KEYS: PGP data parser David Howells
2012-05-22 23:04 ` [PATCH 14/23] KEYS: PGP-based public key signature verification David Howells
2012-05-22 23:04 ` [PATCH 15/23] KEYS: PGP format signature parser David Howells
2012-05-22 23:04 ` [PATCH 16/23] KEYS: Provide a function to load keys from a PGP keyring blob David Howells
2012-05-22 23:04 ` [PATCH 17/23] MODSIGN: Provide gitignore and make clean rules for extra files David Howells
2012-05-22 23:04 ` [PATCH 18/23] MODSIGN: Provide Documentation and Kconfig options David Howells
2012-05-22 23:04 ` [PATCH 19/23] MODSIGN: Sign modules during the build process David Howells
2012-05-22 23:04 ` [PATCH 20/23] MODSIGN: Provide module signing public keys to the kernel David Howells
2012-05-22 23:05 ` [PATCH 21/23] MODSIGN: Module signature verification David Howells
2012-05-22 23:05 ` [PATCH 22/23] MODSIGN: Automatically generate module signing keys if missing David Howells
2012-05-22 23:05 ` [PATCH 23/23] MODSIGN: Panic the kernel if FIPS is enabled upon module signing failure David Howells
2012-05-23 12:51 ` [PATCH 00/23] Crypto keys and module signing Rusty Russell
2012-05-23 14:20 ` David Howells
2012-05-24 12:04 ` Rusty Russell
2012-05-24 14:00 ` David Howells
2012-05-27 5:41 ` Rusty Russell
2012-05-31 14:11 ` David Howells
2012-05-31 15:35 ` Josh Boyer
2012-06-04 1:16 ` Rusty Russell
2012-06-04 13:38 ` Josh Boyer
2012-06-05 0:23 ` Rusty Russell
2012-06-22 1:53 ` Greg KH
2012-06-22 3:29 ` Lucas De Marchi
2012-06-22 4:05 ` Rusty Russell
2012-06-22 11:03 ` David Howells
2012-06-23 0:20 ` Rusty Russell
2012-05-25 11:15 ` Kasatkin, Dmitry
2012-05-25 11:37 ` David Howells
2012-05-25 13:08 ` Mimi Zohar
2012-05-25 13:53 ` David Howells
2012-05-25 14:40 ` Mimi Zohar
2012-05-25 12:18 ` David Howells
2012-05-25 15:42 ` David Howells
2012-06-04 1:31 ` Rusty Russell
2012-06-04 12:47 ` Mimi Zohar
2012-06-05 1:05 ` Rusty Russell [this message]
2012-06-05 11:39 ` Mimi Zohar
2012-06-05 13:37 ` David Howells
2012-06-05 14:36 ` Kasatkin, Dmitry
2012-06-05 13:35 ` David Howells
2012-06-10 5:47 ` Rusty Russell
2012-06-11 8:30 ` Kasatkin, Dmitry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wr3min4b.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=keyrings@linux-nfs.org \
--cc=kyle@mcmartin.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tabbott@ksplice.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).