Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755182AbbESHmX (ORCPT <rfc822;w@1wt.eu>);
	Tue, 19 May 2015 03:42:23 -0400
Received: from bombadil.infradead.org ([198.137.202.9]:38017 "EHLO
	bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753850AbbESHmV (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 19 May 2015 03:42:21 -0400
Message-ID: <1432021332.3277.32.camel@infradead.org>
Subject: Re: Should we automatically generate a module signing key at all?
From: David Woodhouse <dwmw2@infradead.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        David Howells <dhowells@redhat.com>, Michal Marek <mmarek@suse.cz>,
        Abelardo Ricart III <aricart@memnix.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Sedat Dilek <sedat.dilek@gmail.com>, keyrings@linux-nfs.org,
        Rusty Russell <rusty@rustcorp.com.au>,
        LSM List <linux-security-module@vger.kernel.org>,
        Borislav Petkov <bp@alien8.de>, Jiri Kosina <jkosina@suse.cz>
Date: Tue, 19 May 2015 08:42:12 +0100
In-Reply-To: <555A88FB.7000809@kernel.org>
References: <31154.1431965087@warthog.procyon.org.uk>
	 <CA+55aFyOCh=+xSzZwWBjFbx5hU48pGEoSSXq2TPa-u-VabJfOQ@mail.gmail.com>
	 <555A88FB.7000809@kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by bombadil.infradead.org
	See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1692
Lines: 34

On Mon, 2015-05-18 at 17:51 -0700, Andy Lutomirski wrote:
> I think we should get rid of the idea of automatically generated signing 
> keys entirely.  Instead I think we should generate, at build time, a 
> list of all the module hashes and link that into vmlinux.

How many module hashes can you have hard-coded into the image, before
all that (non-compressible, I hope!) data ends up being larger than the
'public key crud'?

If you really wanted to make the public key version minimal, I bet you
could rip out the X.509 support and make it *just* check that the module
is signed by a single specified RSA public key. We're fairly certain to
have a hash algorithm in the kernel already, and all we really need on
top of that is RSA-encrypt — for which there are other uses, too.

> Also, this scheme is compatible with deterministic builds, whereas the 
> current scheme is fundamentally broken if you try to deterministically 
> build a kernel without trusting some key issuer.

Well, if you're just trying to check that you can reproduce the previous
kernel then you don't need the private key at all. You don't get to
reproduce the *signing* step from scratch; all you can do is validate
that the previously-generated signature is still correct. But you can
reproduce the *compilation*.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@intel.com                              Intel Corporation

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/