MIME-Version: 1.0
In-Reply-To: <20150521235430.24546.qmail@ns.horizon.com>
References: <20150521235430.24546.qmail@ns.horizon.com>
Date: Thu, 21 May 2015 17:03:04 -0700
Message-ID: <CA+55aFxLRaZpBPUwPabmNoYGwTraM0aLv06rNPhstyT3k+hBig@mail.gmail.com>
Subject: Re: Should we automatically generate a module signing key at all?
From: Linus Torvalds <torvalds@linux-foundation.org>
To: George Spelvin <linux@horizon.com>
Cc: Andy Lutomirski <luto@amacapital.net>, David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>, petkan@mip-labs.com,
        "Theodore Ts'o" <tytso@mit.edu>, Mimi Zohar <zohar@linux.vnet.ibm.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 980
Lines: 23

On Thu, May 21, 2015 at 4:54 PM, George Spelvin <linux@horizon.com> wrote:
>
> The annoying thing is that it's a two-pass process: the kernel has to
> have the hashes of ALL of the modules to generate the sibling hashes
> for ANY of them.

It's also very annoying because the whole build gets much nastier,
particularly if you want to have modules in external trees.

In short, I don't see any actual *advantages* over just using signed
modules. Signing is much more flexible, and thanks to that extra
indirection (the signing key), there are no ordering constraints on
generating modules vs the kernel.

I realize that people have political objections to signing, but it's
the better technology, for chissake!

                 Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/