Re: [PATCH v2 0/4] modsign enhancement

[Jia Zhang]

On 2018/3/12 äå9:28, Jessica Yu wrote:
> +++ Jia Zhang [08/03/18 12:26 +0800]:
>> This patch series allows to disable module validity enforcement
>> in runtime through /sys/kernel/security/modsign/enforce interface.
>>
>> Assuming CONFIG_MODULE_SIG_FORCE=y, here are the instructions to
>> disable the validity enforcement.
>>
>> # cat /sys/kernel/security/modsign/enforce
>> # echo -n 0 > data
>> # openssl smime -sign -nocerts -noattr -binary -in data \
>> ÂÂ -inkey <system_trusted_key> -signer <cert> -outform der \
>> ÂÂ -out /sys/kernel/security/modsign/enforce
>>
>> Now enable enforcement again on demand.
>>
>> # echo 1 > /sys/kernel/security/modsign/enforce
>>
>> Changelog:
>> v2:
>> - Support to disable validity enforcement in runtime.
> 
> NAK - please use /sys/module/module/parameters/sig_enforce.
> 
> And I would rather keep this parameter bool_enable_only, plain and simple.
> What use case do you have/why would you want to disable signature
> enforcement - after having enabled it - during runtime? None of this
> is explained nor justified in the cover letter.

Because there is no way to disable it such as module.no_sig_enforce when
MODULE_SIG_FORCE=y available unless re-compiling a kernel without this
enforcement. This is inconvenient a bit. IMA and SELinux both have
cmdline control, but modsign doesn't have.

Even we really have a module.no_sig_enforce in cmdline, runtime
disablement can be used to avoid machine reboot. Sometimes machine
reboot is expensive.

If you agree, I can implement the runtime disablement via
/sys/module/module/parameters/sig_enforce. Additionally, supporting
module.no_sig_enforce when MODULE_SIG_FORCE=y is another one to be
implemented.

Thanks,
Jia

> 
> Thanks,
> 
> Jessica