Received: by 10.223.185.116 with SMTP id b49csp753736wrg;
        Fri, 16 Feb 2018 06:42:38 -0800 (PST)
X-Google-Smtp-Source: AH8x227Sis2nqMvQhUtqTKVZ0p4hKwuy19LArIWu6K9Tsm25a7/Blf6vL8uMlyqtpoEPZgLH23te
X-Received: by 10.98.170.15 with SMTP id e15mr6329128pff.207.1518792157881;
        Fri, 16 Feb 2018 06:42:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518792157; cv=none;
        d=google.com; s=arc-20160816;
        b=uLyuxdwSAwyQW30ToKx1XgNVwiGsyMEZwFTQ8EfJjX+Ahyx6OcuVsirKIWOjXAYzr3
         sNxP5RboHABjjSuf6gzNT/MRFMb3zSMgcvD/6fYS+UIsXqwSppJJQWOXZu0N3hDwsTCN
         g2gY/p9Dvdr3n0gHbIB89xAf2/7bYk1c3/Hwa0/SpQv7dep1uDQ/ZOsGT14uZzBX4UGC
         1RUg5jRtaQVbTbevgY0l3Eu13p1TsO3Z5Srk2bFbdeuY3XZpv3I9xVpklrl2CQFKy1RC
         xPamGrkbTHWnXDBWu0qWcsDKrBPrDUQQhcd4jA7ta3FzcJqmMZJugbUrD9b0Ek9+RkfE
         CY+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=NK0nsf9X1Jdjd+gTNmwO2ypPw2K0xCV69ZMkt5/u4jM=;
        b=hswj0GTjS3CFK9TZvZDbmHb55IizliqoKYJJfIVBDC4/eCB+gaQm552CDoXLYLMof5
         bvpheUKmDNwo3t5tVolYJcgeaH6RQEQYOJu76v9kmEq1js+KgIo6hGBnQXZL7tGiZtKs
         uHCGfFr0PEtIyY+sT6PC5494qkhJ4VRyfOTarCxxasAsTmOSb3+q1hoHNbBPMRbFiomx
         y1DHnN2qXTFG/8nGS9wrHMhlVXdETucrynOy0VKhiT70KsTfwrz8aZJJjXUAiwOJ5non
         dyEsLX/aYwhdCIle6YJ0gkzJskQs+8H+nUD4p3x2khWfY395bJDOKPjh6ydfsqRBBwZQ
         oRSA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=HqevD+08;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e25si3232416pfn.82.2018.02.16.06.42.22;
        Fri, 16 Feb 2018 06:42:37 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=HqevD+08;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755544AbeBOTg7 (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Thu, 15 Feb 2018 14:36:59 -0500
Received: from mail-io0-f194.google.com ([209.85.223.194]:41531 "EHLO
        mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755533AbeBOTg5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Feb 2018 14:36:57 -0500
Received: by mail-io0-f194.google.com with SMTP id e4so1807616iob.8
        for <linux-kernel@vger.kernel.org>; Thu, 15 Feb 2018 11:36:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=NK0nsf9X1Jdjd+gTNmwO2ypPw2K0xCV69ZMkt5/u4jM=;
        b=HqevD+08LDnFNvrt3ByFHt+2NkHa+Yb6+FSa84woaCnmGX6EmKzwstVGxPLLHJ2Iod
         JBHP792/PwYT2cwyA/MJhAsSsAKKflEpbZ8NOtJ2SOC5ATHohYASrh0DDBCyAsXSbiqq
         QBDrqo87wbYtVpEE5AgkEt+heQbM7JX8dPIIdEjq6ulWOjaEnyn4FR+eqyCp/r3z/7Kl
         im0cBWnsMcit/q0W/gHUh0oZDbPtTrhu2xJeFBObflhYq5BftgxJObHaW8YvWseQt65m
         YSL3N2kI7hHAhAXYspDpCIK5fixEraHggjCRDa3lBMmwtnFbu0TIAwsfvyZ/dTxE02lq
         CHhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=NK0nsf9X1Jdjd+gTNmwO2ypPw2K0xCV69ZMkt5/u4jM=;
        b=l3EC4KFi+OU2qvCAwj7YOGDAomgxyic9esVX8F2U6jMaHy4sTiphpjocgYMarZm4PB
         CbeEJ63MLpPG4HBtCGisT4KrV33074sSMhmnNu/eApMkLrGRd+DAlOSS5h8wWxTp1KtS
         c1FfnWvGzJXCcmSozD1NGv0cGgKAwSI4lUNNXPmLHFO00wGYonTFbeT6eoSsX4U9djxa
         KsFU4S7JpZcgfW7jpdohIrwQqPndnJtuBEj/22oZP7oV1Yf8sIktzRwOA4c3baX/Fdfh
         E6rTcgpu0qWC7OyCUw4qs1pfCrLJZLRExiFOStaaVV3aYTl5onGNU5DSBIuDQtAXbdZK
         wGaQ==
X-Gm-Message-State: APf1xPBGal7ETaKO1x9gPBafEG2jU2nyPsyiJiXklERq1FBLlXgvV63K
        /tKV14k9WfZhilQa+EhUqMKaFwgex4zA1wd93Mziyg==
X-Received: by 10.107.82.15 with SMTP id g15mr5290401iob.157.1518723416488;
 Thu, 15 Feb 2018 11:36:56 -0800 (PST)
MIME-Version: 1.0
References: <20170807195027.13192-1-mjg59@google.com> <CACdnJus-X533K0Bgqjc-MoZ2NbLz0ac9x+rryHUtnjrnmJ+Kmg@mail.gmail.com>
 <20180215152514.rxmh7webdg2i2fct@redbean>
In-Reply-To: <20180215152514.rxmh7webdg2i2fct@redbean>
From:   Matthew Garrett <mjg59@google.com>
Date:   Thu, 15 Feb 2018 19:36:45 +0000
Message-ID: <CACdnJutL7rJE=1bsh45RmvunU-GZJCYaejyznENrAgFB6nbCLA@mail.gmail.com>
Subject: Re: [PATCH] Make kernel taint on invalid module signatures configurable
To:     Jessica Yu <jeyu@kernel.org>
Cc:     Ben Hutchings <ben@decadent.org.uk>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Feb 15, 2018 at 7:25 AM Jessica Yu <jeyu@kernel.org> wrote:
> I'm still unclear on why a distro would enable CONFIG_MODULE_SIG and
> then _not_ want to know about unsigned modules.

The same kernel image may be used in situations where the use case benefits
from enforcement of module signatures and cases where it doesn't -
distributions don't generally have the resources to ship multiple kernel
packages with lightly modified configurations.

>  From what I understand from Ben's post from last year
> (http://lkml.kernel.org/r/1504044122.4448.24.camel@decadent.org.uk),
> it sounds like the main issue is that Debian doesn't support their own
> centralised module signing yet, causing all of their modules to be
> automatically tainted if they enable CONFIG_MODULE_SIG, and that a new
> option like this would likely be used as a temporary "fix". Am I
> understanding correctly?

Not entirely. There's two cases where the current situation causes problems:

1) Distributions that build out of tree kernel modules and don't have
infrastructure to sign them will end up with kernel taint. That's something
that can be resolved by implementing that infrastructure.
2) End-users who build out of tree kernel modules will end up with kernel
taint and will file bugs. This cannot be fixed but will increase
distribution load anyway.

> I understand this predicament, but it seems like adding a new set of
> options/parameters like this is just hiding the symptoms of the
> problem (modules distributed by Debian getting tainted by default)
> instead of fixing what seems to be the heart of the issue (Debian
> doesn't support their own module signing yet), if that makes sense.
> I am hesitant about merging something that would only serve as a
> temporary solution until Debian supports their own module signing. In
> that case, I would prefer the Debian folks to maintain their own patch
> removing the taint until they support module signing for their own
> modules, especially if - and please correct me if I'm wrong - the
> new option is not going to see long-term usage.

I'd expect this option to be used by distributions for as long as
distributions need to support use-cases that don't need signed modules, so
probably forever.