Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1946028AbbEVUpD (ORCPT <rfc822;w@1wt.eu>);
	Fri, 22 May 2015 16:45:03 -0400
Received: from mail-la0-f50.google.com ([209.85.215.50]:34011 "EHLO
	mail-la0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1945990AbbEVUo7 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 22 May 2015 16:44:59 -0400
MIME-Version: 1.0
In-Reply-To: <CA+55aFxYa9rd8mrJjkbUvKvLifn8uos40uNjj8L1ug873i5_aQ@mail.gmail.com>
References: <CA+55aFxLRaZpBPUwPabmNoYGwTraM0aLv06rNPhstyT3k+hBig@mail.gmail.com>
 <20150522141358.2581.qmail@ns.horizon.com> <CA+55aFxYa9rd8mrJjkbUvKvLifn8uos40uNjj8L1ug873i5_aQ@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 22 May 2015 13:44:37 -0700
Message-ID: <CALCETrWvmV0Qn-qSG0ROg913Cu2va2FYbe2bihmFW4rriU0GVA@mail.gmail.com>
Subject: Re: Should we automatically generate a module signing key at all?
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: George Spelvin <linux@horizon.com>, David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>, petkan@mip-labs.com,
        "Theodore Ts'o" <tytso@mit.edu>, Mimi Zohar <zohar@linux.vnet.ibm.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1266
Lines: 29

On Fri, May 22, 2015 at 1:40 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Fri, May 22, 2015 at 7:13 AM, George Spelvin <linux@horizon.com> wrote:
>>
>> 1) Create a tool to canonicalize the kernel and modules,
>>    stripping out the signatures before comparing them.  This has
>>    precedent in the way the prelink tool can un-prelink binaries
>>    so that hashes can be verified.
>
> So I'd obviously prefer this, so that we have just one model for verification.
>

In the threat model where module signatures matter in the first place
[1], this prevents reproducible builds from serving their purpose.  I
can build a kernel with a fresh signing key and throw away the private
key.  You can build a canonically identical kernel with a private key
that you keep.  A third party using mine is safe, but a third party
using yours is unsafe, even though the whole packages canonicalize to
exactly the same bytes.

[1] I still think this is a silly threat model, but many people
disagree with me.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/