Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751720AbbESUFg (ORCPT <rfc822;w@1wt.eu>);
	Tue, 19 May 2015 16:05:36 -0400
Received: from mail-la0-f54.google.com ([209.85.215.54]:35965 "EHLO
	mail-la0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750782AbbESUFd (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 19 May 2015 16:05:33 -0400
MIME-Version: 1.0
In-Reply-To: <1432065634.3277.81.camel@infradead.org>
References: <31154.1431965087@warthog.procyon.org.uk> <CA+55aFyOCh=+xSzZwWBjFbx5hU48pGEoSSXq2TPa-u-VabJfOQ@mail.gmail.com>
 <555A88FB.7000809@kernel.org> <CA+55aFxuSOdTXO4RNc48etA22dWttUumuPBm8YW_qyYHxLQpiQ@mail.gmail.com>
 <CALCETrXO25VvR5DsAQVrpWz2UGJChpwqjXnKiFhNXdCG0xXPMg@mail.gmail.com>
 <1432058889.3277.73.camel@infradead.org> <CALCETrXGv-bi9GKWxm9n71wx6sYotpL4rm9OUB5d2Hh2h9FdJg@mail.gmail.com>
 <1432060732.3277.77.camel@infradead.org> <CALCETrVBwmVncxf_SA84gKfYtSbPp+7yhh2Z_oxtTZ7MbywbMw@mail.gmail.com>
 <1432065634.3277.81.camel@infradead.org>
From: Andy Lutomirski <luto@amacapital.net>
Date: Tue, 19 May 2015 13:05:11 -0700
Message-ID: <CALCETrVtuCAZQX=9FRo4FVfedAOWfj9mfYkadJPbKKB1rY-Z-A@mail.gmail.com>
Subject: Re: Should we automatically generate a module signing key at all?
To: David Woodhouse <dwmw2@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>, David Howells <dhowells@redhat.com>,
        Michal Marek <mmarek@suse.cz>,
        Abelardo Ricart III <aricart@memnix.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Sedat Dilek <sedat.dilek@gmail.com>, keyrings@linux-nfs.org,
        Rusty Russell <rusty@rustcorp.com.au>,
        LSM List <linux-security-module@vger.kernel.org>,
        Borislav Petkov <bp@alien8.de>, Jiri Kosina <jkosina@suse.cz>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1528
Lines: 32

On Tue, May 19, 2015 at 1:00 PM, David Woodhouse <dwmw2@infradead.org> wrote:
> On Tue, 2015-05-19 at 11:49 -0700, Andy Lutomirski wrote:
>>
>> If we use hashes instead of signatures on in-tree modules (at least in
>> the case where no long-term key is provided), then generation of the
>> temporary signing key stops being an issue because there is no longer
>> a temporary signing key.
>
> With signatures I can make a one-line change to a module and rebuild it,
> and still load it without having to rebuild my vmlinux to 'permit' it.
>
> My signing key is valid for as long as I *choose* it to be valid.
>
> I appreciate why that's a problem in your scenario, but it's a valid and
> useful feature of signatures, and I don't think we can just abandon it.

True, but I'd consider that use case (running a kernel built on a
development machine) to be more in line with unsigned use or long-term
(maybe medium-term) signing keys.

IOW, for this use case, running scripts/generate_module_signing_key or
whatever and configuring accordingly seems entirely reasonable to me.
Or you could just turn off forced module signature verification since
keeping the signing key in plaintext on your machine mostly negates
any benefit of verifying signatures on that machine at runtime.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/