Re: [GIT PULL] Crypto keys and module signing

[Arjan van de Ven]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/10/2011 3:42 AM, Arkadiusz Miśkiewicz wrote:
> On Wed, Dec 7, 2011 at 3:47 PM, David Howells <dhowells@xxxxxxxxxx>
> wrote:
>> 
>> Hi James,
>> 
>> Could you pull my module signing code into the security tree?
>> The patches can be viewed here:
>> 
>> http://git.kernel.org/?p=linux/kernel/git/dhowells/linux-modsign.git;a=shortlog;h=refs/heads/devel
>
>> 
> If I understand it is not possible to sign modules after they are 
> built and load keys without actually rebuilding kernel?

only if the end user chooses to enforce the signature.

> 
> For distro kernel the public and secret keys have to be available 
> publicly, right? Otherwise people using distro kernels won't be
> able to build own signed modules for use with that distro kernel.

That's a distro choice, but... again:

only if the user chooses to enforce the signature.
Very few people actually build their own modules, and for the people
that don't, they can chose to harden their server by only allowing
signed (eg distro shipped) modules.

For those who prefer to build a few other things and still want
security, they can also rebuild the kernel.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJO46r4AAoJEEHdSxh4DVnE39cIALufzQHXgIycaRnImtEWSPrq
PN5ac052lb59YGEbSsUF/Er/SOLfdwJQbD2Gz2/0QCPWfpb64pozDDwFh1IhvvEp
q4D/1wAJBXOaEj1FESPxHkbwvdYe701pgLq0ERQu4SSx69wNMFXNMmp06Jbxuujp
ZRhQcuJQsd76mJi8MZ2f9qnzR+3MQ9zFGK2alqDfb0WiELBc+Cz1nj2tCXrB5AFa
7osPZJK2iBcD+2sfryMEuJWxOjWxm/ZiEz2oIV0vRtnozVEAIYaeJ2Xe6n72Zj3W
AuAGbnfE9j7yzBVz+9KOZEd2DW7MF7Xns4Vn1/1y6W0h0RsXTq15LIXApJL760I=
=fCSX
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/