Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6614490ybh; Thu, 8 Aug 2019 03:03:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqzbCezWlznszheugIG+uJnK6Lq/bqzSpL16A2OpqYKhOfxRjgHEX/VEHWkonlZFu0itW6ah X-Received: by 2002:a17:90a:a00d:: with SMTP id q13mr3163189pjp.80.1565258591059; Thu, 08 Aug 2019 03:03:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565258591; cv=none; d=google.com; s=arc-20160816; b=vR1BgB2L7Obpq7cEpP0XwNreDAUIoncqateqI1S344eZ4ih0goq4zJqaiPEV7cGnUZ 85W5PzHPpzLKl9IL24ZYTSe+V804CFQkV0SgzkUJMWpf5ANxMTRdJLXxbEfaMW8dltdx atJQF+b0XxGdnAJWUbBfA7f4EIRqk0N6u18I8Ulet0pO/spzKM66ES1ACD25Uo0pskmT E8caU4bwPEoSb+Yc3Ff49YpmEBGva5nYcXEY8fr9lCB/7t8aF1WhjmBMt+qPowi/zlp5 XTNmBcqHfiPgIrJGbdpkzLENzEzTpBKFgNp7IpXrss0RokPBFUfq9Vi83hrO13n0ogzL L+Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=CXGx44GqUVtH0apYlJlTI8Umn34XvELg2oJSMNqJIpw=; b=f09JhmikgTyjl5OZ1PSSwMKSPRLn2RqTbWPOzazMgJg7pv9sezjThbTbU9XpsdT523 1qmY3jyeI1o0vRL6jb+Ru7aZW1kACH46XItBTkc9tueFPBkfP5DQLsynfge8M98pom8M VSrUoBUCdqXEbSud4eHXedZB9YlkD/WzZpiRUdkKG/0Ogi1Y1MgUmiUtDhqiWHSGmWQE H8JeCbw6kxOf0L7eIfPT2trL5zJcftuTEMpkAm4UIrbXSoC4SvHbwIOc54popPqLscDy wUuYZFsyiO8IKF7sA6pxChDHGcAskJPkPZP56YBWnJmmdQjXxQ9F5htYDgoWTnHTNtzy 2SJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=PSjghN36; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c5si53054405pfr.25.2019.08.08.03.02.50; Thu, 08 Aug 2019 03:03:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=PSjghN36; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732294AbfHHKBG (ORCPT + 99 others); Thu, 8 Aug 2019 06:01:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:47700 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728289AbfHHKBF (ORCPT ); Thu, 8 Aug 2019 06:01:05 -0400 Received: from linux-8ccs (charybdis-ext.suse.de [195.135.221.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EF54221874; Thu, 8 Aug 2019 10:01:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565258464; bh=CXGx44GqUVtH0apYlJlTI8Umn34XvELg2oJSMNqJIpw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PSjghN36wTkmO+sdaV5suvU5gI8yEJg20nbiyId9rjvm243B3d9VxgVaE4YMkp/DE RHH1k1r9NA2oQEW1edym22OFYv3jLpE1XfzvCWJpsALgmvr3G3yvFI8E7fOqhkfIEY MWcEmat6pET6Wq6VlxpkYDejweSzieKMjQmO4+JY= Date: Thu, 8 Aug 2019 12:01:00 +0200 From: Jessica Yu To: Matthew Garrett Cc: James Morris , LSM List , Linux Kernel Mailing List , Linux API , David Howells , Kees Cook Subject: Re: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down Message-ID: <20190808100059.GA30260@linux-8ccs> References: <20190731221617.234725-1-matthewgarrett@google.com> <20190731221617.234725-5-matthewgarrett@google.com> <20190801142157.GA5834@linux-8ccs> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-OS: Linux linux-8ccs 4.12.14-lp150.12.28-default x86_64 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Matthew Garrett [01/08/19 13:42 -0700]: >On Thu, Aug 1, 2019 at 7:22 AM Jessica Yu wrote: >> Apologies if this was addressed in another patch in your series (I've >> only skimmed the first few), but what should happen if the kernel is >> locked down, but CONFIG_MODULE_SIG=n? Or shouldn't CONFIG_SECURITY_LOCKDOWN_LSM >> depend on CONFIG_MODULE_SIG? Otherwise I think we'll end up calling >> the empty !CONFIG_MODULE_SIG module_sig_check() stub even though >> lockdown is enabled. > >Hm. Someone could certainly configure their kernel in that way. I'm >not sure that tying CONFIG_SECURITY_LOCKDOWN_LSM to CONFIG_MODULE_SIG >is the right solution, since the new LSM approach means that any other >LSM could also impose the same policy. Perhaps we should just document >this? Hi Matthew, If you're confident that a hard dependency is not the right approach, then perhaps we could add a comment in the Kconfig (You could take a look at the comment under MODULE_SIG_ALL in init/Kconfig for an example)? If someone is configuring the kernel on their own then it'd be nice to let them know, otherwise having a lockdown kernel without module signatures would defeat the purpose of lockdown no? :-) Thank you, Jessica