Re: RFC: sign the modules at install time

From: Linus Torvalds
Date: Fri Oct 19 2012 - 18:04:21 EST

Next message: Rafael J. Wysocki: "Re: [PATCH 1/2] cpufreq: return early from __cpufreq_driver_getavg()"
Previous message: Peter Zijlstra: "Re: linux-next: build failure after merge of the final tree(tip/s390 trees related)"
In reply to: Linus Torvalds: "Re: RFC: sign the modules at install time"
Next in thread: Rusty Russell: "Re: RFC: sign the modules at install time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Oct 19, 2012 at 12:58 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Tssk. I fixed it up, and now it works-for-me(tm), but some perl person
> probably really should try to make that sign-file and x509keyid merge.
> My fix made the thing even slower, doing two extra "wc -c" invocations
> since it can't do "${#..}" expansion due to the locale problem.

Hmm. I haven't seen this breakage personally yet, but looking more at
Rusty's last changes I'm pretty sure my fixes are potentially not
sufficient.

In particular, this line from Rusty's sign-file script simplification
makes me worry:

KEYID="`perl $keyid_script $x509 keyid`"

and the problem is that the 'keyid' is a binary blob.

And I'm pretty damn sure that assigning random binary data to shell
variables is going to break eventually. In particular, I tested NUL
characters, and bash is not happy about doing things like

a="`echo -en '\000'`"

and 'a' ends up empty, not containing a one-byte string containing a
NUL character. Not to mention that even if the shell were to handle
this correctly, if you do

echo -n "$a"

then even *if* the shell remembered that 'a' contains one NUL
character, when it then executes the 'echo' binary, that will
certainly not be able to handle it. With a built-in 'echo' it _could_
work, with an external one it fundamentally could not. NUL is special,
and terminates strings at execve(). You cannot have NUL bytes in
arguments.

Of course, I don't know the rules for x509 key id blobs. Maybe they
aren't allowed to contain NUL anyway?

Possible solutions:

- Linus is a worry-wart, and key id's never contain NUL.

- somebody with the appropriate perl-fu does the perl conversion, and
keeps it all in perl.

- somebody with (slightly less) perl-fu makes the x509 keyid_script
return a quoted string, so that we can save that *quoted* version for
the shell interatction (perhaps in a similar format that we now use
for the "prologue" variable, ie just a list of hex bytes)

otherwise we need to go back to putting the binary blob in a file
(which shell won't corrupt).

Rusty, David?

Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rafael J. Wysocki: "Re: [PATCH 1/2] cpufreq: return early from __cpufreq_driver_getavg()"
Previous message: Peter Zijlstra: "Re: linux-next: build failure after merge of the final tree(tip/s390 trees related)"
In reply to: Linus Torvalds: "Re: RFC: sign the modules at install time"
Next in thread: Rusty Russell: "Re: RFC: sign the modules at install time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]