Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754050AbbESRxX (ORCPT <rfc822;w@1wt.eu>);
	Tue, 19 May 2015 13:53:23 -0400
Received: from mail-ig0-f172.google.com ([209.85.213.172]:33087 "EHLO
	mail-ig0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751802AbbESRxU (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 19 May 2015 13:53:20 -0400
MIME-Version: 1.0
In-Reply-To: <CALCETrWsgpVKNtV_Lb7+Eqy0dwGwfVqRQgRciyRwH3F1jwKnMA@mail.gmail.com>
References: <CALCETrWSk+ruOzPFpiRj43kLvu_Pt8q2gZdbcu_hLsvdBQ84vw@mail.gmail.com>
	<31154.1431965087@warthog.procyon.org.uk>
	<CA+55aFyOCh=+xSzZwWBjFbx5hU48pGEoSSXq2TPa-u-VabJfOQ@mail.gmail.com>
	<555A88FB.7000809@kernel.org>
	<29742.1432025631@warthog.procyon.org.uk>
	<1752.1432049417@warthog.procyon.org.uk>
	<20150519155532.GB2871@thunk.org>
	<1432056720.4510.143.camel@linux.vnet.ibm.com>
	<CALCETrWsgpVKNtV_Lb7+Eqy0dwGwfVqRQgRciyRwH3F1jwKnMA@mail.gmail.com>
Date: Tue, 19 May 2015 10:53:19 -0700
X-Google-Sender-Auth: ECS0yY0sYVto-US5bfbsikK_4Sk
Message-ID: <CA+55aFztjz3_ZANStAn7q10k1H=uzjgNqDP4fjA8Q66mYBuA7A@mail.gmail.com>
Subject: Re: Should we automatically generate a module signing key at all?
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>, "Theodore Ts'o" <tytso@mit.edu>,
        David Howells <dhowells@redhat.com>, Andy Lutomirski <luto@kernel.org>,
        Michal Marek <mmarek@suse.cz>, David Woodhouse <dwmw2@infradead.org>,
        Abelardo Ricart III <aricart@memnix.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Sedat Dilek <sedat.dilek@gmail.com>, keyrings@linux-nfs.org,
        Rusty Russell <rusty@rustcorp.com.au>,
        LSM List <linux-security-module@vger.kernel.org>,
        Borislav Petkov <bp@alien8.de>, Jiri Kosina <jkosina@suse.cz>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1796
Lines: 42

On Tue, May 19, 2015 at 10:43 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>
> If it weren't a giant PITA, I would consider enabling module signing,
> but I don't see much point on my system since I don't have secure boot
> and I think it's misguided that kernel mode code should be considered
> more important to protect than fully privileged user-space code.

What PITA?

Do this:

  CONFIG_MODULE_SIG=y
  CONFIG_MODULE_SIG_FORCE=y
  CONFIG_MODULE_SIG_ALL=y

and you're done. You don't need to do anythign else. There's no PITA.
It just works. I do this in my /etc/kernel-config, so *all* the
kernels I build and boot hjave this, and I never even have think about
it, much less have to do anything special.  I don't even bother
removing the key consciously, because I end up doing "git clean -dqfx
; make allmodconfig ; make -j16" so many times a day during the merge
window anyway that it doesn't last.

Enabling those three config options makes the build generate the key
for you, and assuming you just remove the key after the build/install
(incidentally like I do, or consciously like you *should* do it), it
makes your kernel as secure as if you were to just build everything
into the kernel.

Is it going to fix any *other* security issues? No. But it does mean
that if you somehow have a security issue, the attacker is going to
have a *much* harder time to install a rootkit kernel module that
actively hides the attack from you.

And that is not some theoretical concern. There's been multiple cases of that.

                    Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/