From: Rusty Russell <rusty@rustcorp.com.au>
To: Matthew Garrett <mjg59@google.com>
Cc: linux-kernel@vger.kernel.org, jeyu@kernel.org
Subject: Re: [PATCH] Allow automatic kernel taint on unsigned module load to be disabled
In-Reply-To: <CACdnJutPrDvYtssnc=yVvWa_4oTRvigUhK+5J8s941oAoJDT6Q@mail.gmail.com>
References: <20170804180751.14896-1-mjg59@google.com> <878tixxk2j.fsf@rustcorp.com.au> <CACdnJutPrDvYtssnc=yVvWa_4oTRvigUhK+5J8s941oAoJDT6Q@mail.gmail.com>
Date: Mon, 07 Aug 2017 12:19:28 +0930
Message-ID: <8760e0xfbb.fsf@rustcorp.com.au>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1336
Lines: 33

Matthew Garrett <mjg59@google.com> writes:
> On Sat, Aug 5, 2017 at 11:54 PM, Rusty Russell <rusty@rustcorp.com.au> wrote:
>> Matthew Garrett <mjg59@google.com> writes:
>>> Distributions may wish to provide kernels that permit loading of
>>> unsigned modules based on certain policy decisions.
>>
>> Sorry, that's way too vague to accept this patch.
>>
>> So I'm guessing a binary module is behind this vagueness.  If you want
>> some other method than signing to vet modules, please do it in
>> userspace.  You can do arbitrary things that way...
>
> Binary modules will still be tainted by the license checker. The issue
> is that if you want to enforce module signatures under *some*
> circumstances, you need to build with CONFIG_MODULE_SIG

Not at all!  You can validate them in userspace.

> but that
> changes the behaviour of the kernel even when you're not enforcing
> module signatures. The same kernel may be used in environments where
> you can verify the kernel and environments where you can't, and in the
> latter you may not care that modules are unsigned. In that scenario,
> tainting doesn't buy you anything.

With your patch, you don't get tainting in the environment where you can
verify.

You'd be better adding a sysctl or equiv. to turn off force loading, and
use that in your can-verify system.

Cheers,
Rusty.