Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756331AbbESQJv (ORCPT ); Tue, 19 May 2015 12:09:51 -0400 Received: from lan.nucleusys.com ([92.247.61.126]:41587 "EHLO zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756292AbbESQJs (ORCPT ); Tue, 19 May 2015 12:09:48 -0400 X-Greylist: delayed 1121 seconds by postgrey-1.27 at vger.kernel.org; Tue, 19 May 2015 12:09:48 EDT Date: Tue, 19 May 2015 19:09:17 +0300 From: Petko Manolov To: "Theodore Ts'o" , David Howells , Andy Lutomirski , Andy Lutomirski , Linus Torvalds , Michal Marek , David Woodhouse , Abelardo Ricart III , Linux Kernel Mailing List , Sedat Dilek , keyrings@linux-nfs.org, Rusty Russell , LSM List , Borislav Petkov , Jiri Kosina Subject: Re: Should we automatically generate a module signing key at all? Message-ID: <20150519160917.GD7549@localhost> Mail-Followup-To: Theodore Ts'o , David Howells , Andy Lutomirski , Andy Lutomirski , Linus Torvalds , Michal Marek , David Woodhouse , Abelardo Ricart III , Linux Kernel Mailing List , Sedat Dilek , keyrings@linux-nfs.org, Rusty Russell , LSM List , Borislav Petkov , Jiri Kosina References: <31154.1431965087@warthog.procyon.org.uk> <555A88FB.7000809@kernel.org> <29742.1432025631@warthog.procyon.org.uk> <1752.1432049417@warthog.procyon.org.uk> <20150519155532.GB2871@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150519155532.GB2871@thunk.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Score: -1.0 (-) X-Spam-Report: Spam detection software, running on the system "zztop.nucleusys.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 15-05-19 11:55:32, Theodore Ts'o wrote: > > So I'm really curious --- are there significant numbers of people > doing kernel builds, besides distro kernel engineers, who would use > module signing? If so, them sure, let's spend time optimizing so that > it's really easy for those folks. If not, maybe it's simpler just > make things easy for people who will be storing the key in some > external hardware device, and just be done with it. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1138 Lines: 25 On 15-05-19 11:55:32, Theodore Ts'o wrote: > > So I'm really curious --- are there significant numbers of people > doing kernel builds, besides distro kernel engineers, who would use > module signing? If so, them sure, let's spend time optimizing so that > it's really easy for those folks. If not, maybe it's simpler just > make things easy for people who will be storing the key in some > external hardware device, and just be done with it. I am working on a project that requires kernel module authenticity. Building monolithic kernel is not an option. It is also highly customized system where uptime is very important. The machine is going to be exposed to all the fun of contemporary Internet connectivity so every piece of code or data on this box must be measured and authenticated prior to accessing it. I do agree that this is not the common case, though. cheers, Petko -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/