Re: [PATCH 0/3] ELF executable signing and verification

From: Rusty Russell
Date: Tue Jan 22 2013 - 01:27:27 EST

Next message: Mark Brown: "Re: [PATCH 05/15] ASoC: fsl: fiq and dma cannot both be modules"
Previous message: Rusty Russell: "Re: [PATCH] MODSIGN: Warn when module signature checking fails"
In reply to: Vivek Goyal: "Re: [PATCH 0/3] ELF executable signing and verification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vivek Goyal <vgoyal@xxxxxxxxxx> writes:
> Hi,
>
> This is a very crude RFC for ELF executable signing and verification. This
> has been done along the lines of module signature verification.

Yes, but I'm the first to admit that's the wrong lines.

The reasons we didn't choose that for module signatures:
1) I was unaware of it,
2) We didn't have a file descriptor in the module syscall, and
3) It needs attributes, and we don't understand xattrs in cpio (though
bsdcpio does).

#1 and #2 are no longer true; #3 is a simple matter of coding.

Since signing binaries is the New Hotness, I'd prefer not to keep
reiterating this discussion every month. Let's beef up IMA instead...

Thanks,
Rusty.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mark Brown: "Re: [PATCH 05/15] ASoC: fsl: fiq and dma cannot both be modules"
Previous message: Rusty Russell: "Re: [PATCH] MODSIGN: Warn when module signature checking fails"
In reply to: Vivek Goyal: "Re: [PATCH 0/3] ELF executable signing and verification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]