Received: by 10.223.185.116 with SMTP id b49csp1034497wrg; Wed, 21 Feb 2018 10:56:41 -0800 (PST) X-Google-Smtp-Source: AH8x227j2bREX8AKNk/ID1unAy2SaAjdjMi000nVtBlo7YJRxDJ9wgJI7XZliB5bRbxKt/shCKH9 X-Received: by 10.98.61.133 with SMTP id x5mr1243533pfj.181.1519239401539; Wed, 21 Feb 2018 10:56:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519239401; cv=none; d=google.com; s=arc-20160816; b=Dt/uGxNTM1K2oGBzz6sfNNcPqO2sfX0Pu3DToGnlgQqAAKcvpARKGz6UdVNR+J+XB6 r2U8U6fGMy/kjVP/SdXhAKqO3LtWXeJ/HVmkcUGCDS1cAisXlJc2OsYYuP6uHlzCCPci 2MzxiIhxtdNVa2Ku6CqcPUktO2EinUWETY3LRDY8jA2rZkm7DccbDq/lJsNuAmglCyQC RbVduXFCeUjyGXhL+4DyGSEoK5d/0f0nrSVZjcH16gWIR7sLYBj8DM6/rwOYynrzRU80 6++zWQJ31NiV2Mzt9Ytqxe3ifhg7d+Y8OpkkUg6Xa4vunsN1rdcd48oDvCBXbNGPHoEU YSLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to:date :cc:to:from:subject:message-id:arc-authentication-results; bh=CgT5RRKnO0C1EBCeQGBBHmpU2Pw0/d3VtUPwtUAnWkI=; b=inllVmgmi2a5NgVoVhBiJ7NG3rNiwFxvwuI1Fdp4Ddh0aOaEx/5XBqWxU+l0zmxXWG gr+EVDva/6yryx4zjZZJcWAKGjHvje2RfQVtz3OQOyX3l0fIT5yagIWChrpjrVkFP6sc CyiOQnEDCdy+n58CRnnDK60+Z+byw1hZjQKqwMKjk6gkUyq3FVTzad01sqEtkorKITqf Vi/f/HKF2krKqHx463MhdMGCDa9fGklSVHr717d6u5kbJER1yTq/uX/dm1iMOe7EinKa ySRTnePshKTnr31U4sXrqZFAIGhNE6ocFy44v6YCgOwuVOr6LDDh934WmAhGBfgSDz3S maSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 62-v6si7797522ple.267.2018.02.21.10.56.26; Wed, 21 Feb 2018 10:56:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965855AbeBUPCa (ORCPT + 99 others); Wed, 21 Feb 2018 10:02:30 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36891 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S937439AbeBUPC1 (ORCPT ); Wed, 21 Feb 2018 10:02:27 -0500 Received: from 188.29.164.183.threembb.co.uk ([188.29.164.183] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1eoVub-0007xk-OK for linux-kernel@vger.kernel.org; Wed, 21 Feb 2018 15:02:26 +0000 Received: from ben by deadeye with local (Exim 4.90) (envelope-from ) id 1eoVrX-0005Tq-6m; Wed, 21 Feb 2018 15:59:15 +0100 Message-ID: <1519225147.2617.169.camel@decadent.org.uk> Subject: Re: [PATCH] Make kernel taint on invalid module signatures configurable From: Ben Hutchings To: Matthew Garrett , Jessica Yu Cc: Rusty Russell , Linux Kernel Mailing List Date: Wed, 21 Feb 2018 15:59:07 +0100 In-Reply-To: References: <20170807195027.13192-1-mjg59@google.com> <20180215152514.rxmh7webdg2i2fct@redbean> <20180220192100.wlrn3c4hnqdmu4zg@redbean> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-c8K3iY/Hyn2cTJ2oqMeZ" X-Mailer: Evolution 3.26.3-1 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 188.29.164.183 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-c8K3iY/Hyn2cTJ2oqMeZ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2018-02-20 at 20:37 +0000, Matthew Garrett wrote: > On Tue, Feb 20, 2018 at 11:21 AM Jessica Yu wrote: [...] > > In any case, I think I'd be willing to merge it as a module_param made > > available under CONFIG_MODULE_SIG=3Dy (rather than as a new separate co= nfig > > option), while preserving the default behavior of tainting on > > unsigned/invalidly signed module loads (so let's keep the param parts o= f > > your patch). I think it makes sense to consider the turning-off-the-tai= nt > > param as a behavioral tweak under CONFIG_MODULE_SIG. Then you could tur= n > > off the tainting behavior on the kernel command line, would this suffic= ient > > enough for your use cases? > > I think that's probably not practical - distributions often aren't in > control of the kernel command line after initial installation, so they'd > end up with different behaviour depending on whether a machine was a clea= n > install or not (which is why several things that are module_params have > defaults controlled by additional kernel config options) Indeed. So long as Debian doesn't do module signing, the default behaviour in our kernel images will need to be that they don't complain about lack of signatures. [...] > > > 1) Distributions that build out of tree kernel modules and don't have > > > infrastructure to sign them will end up with kernel taint. That's som= ething > > > that can be resolved by implementing that infrastructure. > > > 2) End-users who build out of tree kernel modules will end up with ke= rnel > > > taint and will file bugs. This cannot be fixed but will increase > > > distribution load anyway. > > I thought these two cases (particularly #2) were the very situations > > where distros might find the unsigned module taint useful (especially > > in the use case where you do benefit from module signatures). From my > > understanding, the unsigned module taint is intended to be useful when > > looking at crashes/OOPses, to provide a clear indication of whether or > > not a developer could reliably debug the crash, or choose to tread > > carefully, because the end-user has loaded an unsigned/out-of-tree > > module that wasn't signed/shipped by the distribution. Is the taint > > just not useful to distros in this manner anymore? >=20 > The module list is usually sufficient for that - users tend not to replac= e > individual distribution modules without rebuilding their entire kernel. And we already have an O (out-of-tree) taint flag. Ben. --=20 Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. ... I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949 --=-c8K3iY/Hyn2cTJ2oqMeZ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlqNiTwACgkQ57/I7JWG EQkDsRAAlFKAqyA/Hvmn5wpjf0nr5hIYNNRVRwMFYyKRTjRHW2Nl5bHwmpBa3nXs dl/6G6vQW2+qXuRv8hhqjtY7POVJeN1ciQtykBweCG/ii2wlwi0YATkmMl8KJFe9 WRsFqZwuBizh4p7Y0kKXXDGpVVwZ6GqWwnEQ3TvvU6VZpbKCkbwBPhzbwWbvDdmY RLzA6k0GD/+3Co5F6J3SC0M1yI/xRD6pd95ARjOWkQwL1URKBqtH3fytl9p9CRJ8 m8XbFXOyZUMsSnA2L/pvvm9BSCbH2G8+4jbe8HqVz6kFRUCL4JxCg68aNa+C8uXg zwy9HHnJ5b3JeunNJ1OKisgwz9txcAkotYM+Tf9nmfy6v4EbMB2WGxl5OqqlVOxd 5RYyVj3tOfnp0g7yxcIX2AfFYE0SBQGRCx4j6xNHJJB/21asB1xNyk0jVMHUBvck aa2SsTPCY43kGrj8vCsX5SB9nMI1f3YcHS+y7uHz/k2/c1lAutfc9+e2owf96V3W /F5MyIBa1oGb5Ap05xVA1BlXmh3inLdWMs71FumroXBuK+rRbbZcYE/oBdpZngC1 dw0nN6En7+7jFSXrQl9aFm3x3XyGr4U41k6GTTNGHGHMhQWaONaS49pUxcEMdC8X jPlZxxc4/MSLAM3KdmV0UuFffSWDTUJtnlZgFubOTX81onaIFp0= =u0q1 -----END PGP SIGNATURE----- --=-c8K3iY/Hyn2cTJ2oqMeZ--