Re: [PATCH v2 0/4] modsign enhancement

From: Jessica Yu
Date: Mon Mar 12 2018 - 09:28:39 EST

Next message: SF Markus Elfring: "[PATCH 0/2] crypto/talitos: Adjustments for talitos_edesc_alloc()"
Previous message: Tomer Maimon: "Re: [PATCH 1/2] ARM: npcm: add CONFIG_ARCH_MULTI_V7 dependency"
Next in thread: Jia Zhang: "Re: [PATCH v2 0/4] modsign enhancement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

+++ Jia Zhang [08/03/18 12:26 +0800]:

This patch series allows to disable module validity enforcement
in runtime through /sys/kernel/security/modsign/enforce interface.

Assuming CONFIG_MODULE_SIG_FORCE=y, here are the instructions to
disable the validity enforcement.

# cat /sys/kernel/security/modsign/enforce
# echo -n 0 > data
# openssl smime -sign -nocerts -noattr -binary -in data \
-inkey <system_trusted_key> -signer <cert> -outform der \
-out /sys/kernel/security/modsign/enforce

Now enable enforcement again on demand.

# echo 1 > /sys/kernel/security/modsign/enforce

Changelog:
v2:
- Support to disable validity enforcement in runtime.

NAK - please use /sys/module/module/parameters/sig_enforce.

And I would rather keep this parameter bool_enable_only, plain and simple.
What use case do you have/why would you want to disable signature
enforcement - after having enabled it - during runtime? None of this
is explained nor justified in the cover letter.

Thanks,

Jessica

Next message: SF Markus Elfring: "[PATCH 0/2] crypto/talitos: Adjustments for talitos_edesc_alloc()"
Previous message: Tomer Maimon: "Re: [PATCH 1/2] ARM: npcm: add CONFIG_ARCH_MULTI_V7 dependency"
Next in thread: Jia Zhang: "Re: [PATCH v2 0/4] modsign enhancement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]