Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp7427651ybh; Thu, 8 Aug 2019 15:48:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqy7QKQCFH55P+BPvTfwZ4OgypXtJH9/evzgqVE28g1xQ4XXozXbpkgT/AegN7dV3MGRXeRA X-Received: by 2002:a63:ec48:: with SMTP id r8mr14144367pgj.387.1565304495633; Thu, 08 Aug 2019 15:48:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565304495; cv=none; d=google.com; s=arc-20160816; b=PDKirk5gb5akko7XfBvsL/ylTB6szqbrNn2j8UrFPt+c1MYUCPR90OZ9qi+7ocylm+ r/kf7KANVaadGP+F8oTPLEcyYBCq2UEQItkK8Vln2lDAj+p+Tgzw7Zm9GQmnfgXfD4J3 2RLpSZvIvsSMvf0My2tM6aK8aDpP2ggyH6dXr0YMB2d0MddEVTE16OaYPL7kUAxsuqkr iY+3PhYcFei91oswNpvQGcaLA6QoXJQ5LVc15uqw+dcQth0nMym2+KCWX6XfS12C08Sg C7sbrZW9zWGVu3+DrDU9ynAt/djTa25o9Vn6ljWy2+92SLcqGD2X3PUQlmhdz6GhQd+g UvFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=rdMGvCRoJbzciIE4uLvh+lJRrcMimgN47VzJro3djDU=; b=lffjT4iKWbO8ymMaZJCAyJsxqJQlp7cq9HcNLUXLYsJbVXJLf58AwAyKD3CuaUnsMp tMf8b8kIpLUPCCQd7UOiFOCgc12yN53yUuQTH79//BAD09MySWdIhuJaFXKqEPEVd852 Qfr5ZlSSFCAv/DdnhPULotQuv2sWCG7arZXgIfSJSZPGHSZWOVp8CRkXTLoqOMOdy3yG n1XpRVRT5CVGcKU3fbM7BHm80FCrlHwzYQA26jCYwLCdkLaj4F0hVty2L9SO6St0J4DM USUq0RLtHYsA+KBW39Ndgrs7drnLeJI0hyj4NSX/sgzZ6lzgJ6L1FtKz3csXkoxROj/q 5qyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w3si47100365plb.35.2019.08.08.15.48.00; Thu, 08 Aug 2019 15:48:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404410AbfHHWnS (ORCPT + 99 others); Thu, 8 Aug 2019 18:43:18 -0400 Received: from namei.org ([65.99.196.166]:39598 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732938AbfHHWnR (ORCPT ); Thu, 8 Aug 2019 18:43:17 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x78Mh5V0015311; Thu, 8 Aug 2019 22:43:05 GMT Date: Fri, 9 Aug 2019 08:43:05 +1000 (AEST) From: James Morris To: Matthew Garrett cc: Jessica Yu , LSM List , Linux Kernel Mailing List , Linux API , David Howells , Kees Cook Subject: Re: [PATCH V37 04/29] Enforce module signatures if the kernel is locked down In-Reply-To: Message-ID: References: <20190731221617.234725-1-matthewgarrett@google.com> <20190731221617.234725-5-matthewgarrett@google.com> <20190801142157.GA5834@linux-8ccs> <20190808100059.GA30260@linux-8ccs> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 8 Aug 2019, Matthew Garrett wrote: > On Thu, Aug 8, 2019 at 3:01 AM Jessica Yu wrote: > > If you're confident that a hard dependency is not the right approach, > > then perhaps we could add a comment in the Kconfig (You could take a > > look at the comment under MODULE_SIG_ALL in init/Kconfig for an > > example)? If someone is configuring the kernel on their own then it'd > > be nice to let them know, otherwise having a lockdown kernel without > > module signatures would defeat the purpose of lockdown no? :-) > > James, what would your preference be here? Jessica is right that not > having CONFIG_MODULE_SIG enabled means lockdown probably doesn't work > as expected, but tying it to the lockdown LSM seems inappropriate when > another LSM could be providing lockdown policy and run into the same > issue. Should this just be mentioned in the CONFIG_MODULE_SIG Kconfig > help? I agree and yes mention it in the help. A respin of just this patch is fine. -- James Morris