Re: [RFC PATCH] Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE

From: Steven Rostedt
Date: Tue Feb 11 2014 - 23:45:45 EST


On Tue, 11 Feb 2014 08:27:38 +0100
Ingo Molnar <mingo@xxxxxxxxxx> wrote:

>
> * Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx> wrote:
>
> > Users have reported being unable to trace non-signed modules loaded
> > within a kernel supporting module signature.
>
> External modules should strive to get out of the 'crap' and
> 'felony law breaker' categories and we should not make it
> easier for them to linger in a broken state.
>
> Nacked-by: Ingo Molnar <mingo@xxxxxxxxxx>

I'm not sure how great this idea is, but it isn't the same as the
"crap" and "fenony law breaker" categories. Having a non-signed module
doesn't mean that it isn't fully GPL compliant, it just means that it
hasn't been signed. There's several things that can taint the kernel
when loading a module. Being non GPL compliant is just one of them, and
that will never be allowed to accept tracepoints.

Forcing a module that was built for a different kernel version gives us
another taint, which we don't add tracepoints for, not because it is
not compliant, but because that could corrupt the kernel as we can
not guarantee the binary structure layout of those modules would be the
same as what the kernel was built with. We don't want people
complaining about tracepoint failures due to forcing an older module
into a newer kernel with different tracepoint structures.

But if the kernel expects to have signed modules, and you force a
module to be loaded that is not signed, then you still get that
"forced" module taint, which is the same one as loading a module from
an older kernel into a newer kernel. It's a different problem, and I
can see having a different taint flag be more informative to kernel
developers in general. I would welcome that change with or without
letting tracepoints be set for that module.

But I have to ask Mathieu, what exactly is the use case here? If you
have a kernel that expects to only load signed modules, why would you
want to force non signed ones? That basically breaks the whole purpose
of signing modules. Once you allow a non signed module to be loaded
then the kernel can be considered compromised. That is, you just gave
kernel access to an untrusted source.

-- Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/