Re: [PATCH] MODSIGN: Don't taint unless signature enforcing is enabled
From: Rusty Russell
Date: Sun Jan 06 2013 - 20:17:13 EST
Josh Boyer <jwboyer@xxxxxxxxxx> writes:
> With module signing enabled but not in enforcing mode, we don't consider
> unsigned modules to be an error. However, we only mark sig_ok as true if
> a signature verified. This causes the module to be tainted with the
> TAINT_FORCED_MODULE flag.
Wait, what? So, what does CONFIG_MODULE_SIG=y with MODULE_SIG_FORCE=n
mean? Why not just call that CONFIG_USELESS_BLOAT? :)
> That in turn taints the kernel, which also disables lockdep.
Yeah, lockdep is oversensitive. This has been argued before, take it up
with Ingo. Perhaps we need a taint flag bit to indicate that lockdep
should actually be disabled?
> Tainting the module and kernel when we don't consider something to be an
> error seems excessive. This marks sig_ok as true if we aren't in enforcing
> mode.
If we were to do this, please follow Plauger's Law: "Don't patch bad
code - rewrite it."
In this case, rip out the now-useless sig_ok field.
Thanks,
Rusty.
> diff --git a/kernel/module.c b/kernel/module.c
> index 250092c..a50172e 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2443,8 +2443,10 @@ static int module_sig_check(struct load_info *info)
> if (err < 0 && fips_enabled)
> panic("Module verification failed with error %d in FIPS mode\n",
> err);
> - if (err == -ENOKEY && !sig_enforce)
> + if (err == -ENOKEY && !sig_enforce) {
> + info->sig_ok = true;
> err = 0;
> + }
>
> return err;
> }
> --
> 1.8.0.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/