Received: by 10.213.65.68 with SMTP id h4csp479202imn; Tue, 13 Mar 2018 10:19:51 -0700 (PDT) X-Google-Smtp-Source: AG47ELsWPwdSsgUQT2FlWV2KWbUnqsMVJbUcpiLCZC8uK2fFGR26/qGioYtJlpJ7Vu3f6AL4Plxf X-Received: by 2002:a17:902:a58c:: with SMTP id az12-v6mr1229640plb.156.1520961591726; Tue, 13 Mar 2018 10:19:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520961591; cv=none; d=google.com; s=arc-20160816; b=xilTE79/EvhKfZpn40vGTD855u4NvENQqYupxuRfiLMW//7nuhKhRnAR/Ge5UzB/DS jHhtHW8A56A9m/CQQxLKRqlNIVyZrY9d7IsyYL5vy2XGLgQq+/n5P48HAumYYXy3kEwp +uZpzcUCxZldKEJgGzF8w4VcNRovfcBWuCZz7LTnnE79N082Z6mGPfmXL5vvUqD3kMqW lurQ8rEu2hsADvyReZdiAiafRTZna0QgSwrVpu42KGZpyM0M2HOmoSUcCawM9R6EC4ln /1FDIvZi5NTHBYrcO1HzCDZ8xmsg6y8RBqPUcOn2ulbVQFUPTYbPesx51KQ8yTNxJHvY 06Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=XA3KwcwAO+x3NkeTJASDvoxA42mSGQV8IOINeBzhYGM=; b=BTRLb3vzDtGMnRi8WkBJiu0+B85hj+ks2+0MitnBe9f3Llaaya2L6cImNaxaKYKun7 C6ehQiG2WDLEca1Vbt79XVBGun7BKBBPvGu0gMYwbgsAW4UMN0LclXwXk5gzfHTFGU+P p+EekXzypyL6ip+92qukXRaTPvPJb3yWqqfk06HW9+gZmf1svdNsTVNW6MCY9XsUmP1o UWfzCH6SeOE5Uus2Lf7KeqTVSiHDZRLQAdD01bNwg3SX3vtuYKDuSuGdoXspzoDP63ze b4OviiMx1FRFlJ65NpwBj8vw7T0JosuzAXtktTFhXsLyPSke6yTYvahlcnNR0c2vEGIT PQnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=YkEFyAOT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y6-v6si337271plr.174.2018.03.13.10.19.37; Tue, 13 Mar 2018 10:19:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=YkEFyAOT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752149AbeCMRSj (ORCPT + 99 others); Tue, 13 Mar 2018 13:18:39 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:43168 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751673AbeCMRSg (ORCPT ); Tue, 13 Mar 2018 13:18:36 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 3E1318EE139; Tue, 13 Mar 2018 10:18:36 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5uWZlbbs15B; Tue, 13 Mar 2018 10:18:36 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id B29928EE0C6; Tue, 13 Mar 2018 10:18:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1520961516; bh=v2NdCAENeR1s7R7VvnoUp9e4N6z5Ep1+r4Oj6wzvRPI=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=YkEFyAOTIxuevUmeUMsFRcRxHH3KiE9rzVFuOOWqkebvA9IOtY4Yx6g2CUZw8GDN+ EZQ6/D9IV79HBYOs+jYubIlUqdiv8Lcq1rbWrp5ayXct3zpvjdatI/Ynp11rLZlvcp YbLwZioBbnewrQUdzZcFEB9xUKegea1lqlTT2KhM= Message-ID: <1520961515.5360.19.camel@HansenPartnership.com> Subject: Re: [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module From: James Bottomley To: "Lee, Chun-Yi" , David Howells Cc: linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" , Josh Boyer Date: Tue, 13 Mar 2018 10:18:35 -0700 In-Reply-To: <20180313103803.13388-5-jlee@suse.com> References: <20180313103803.13388-1-jlee@suse.com> <20180313103803.13388-5-jlee@suse.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote: > This patch adds the logic for checking the kernel module's hash > base on blacklist. The hash must be generated by sha256 and enrolled > to dbx/mokx. > > For example: > sha256sum sample.ko > mokutil --mokx --import-hash $HASH_RESULT > > Whether the signature on ko file is stripped or not, the hash can be > compared by kernel. What's the use case for this?  We're already in trouble from the ODMs for the size of dbx and its consumption of the extremely limited variable space, so do we really have a use case for adding module blacklist hashes to the UEFI variables given the space constraints (as in one we can't do any other way)? James