Received: by 10.223.164.221 with SMTP id h29csp4735963wrb; Thu, 19 Oct 2017 23:34:55 -0700 (PDT) X-Google-Smtp-Source: ABhQp+SEBDyJzxhqEWKmKJbLPO7SFCinIj1eHucqflx/waLDu8pZOkrM+Z0H247N0IBY6DiLuuIK X-Received: by 10.101.83.12 with SMTP id m12mr3511942pgq.153.1508481294455; Thu, 19 Oct 2017 23:34:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508481294; cv=none; d=google.com; s=arc-20160816; b=PZdnGccjZogbTJosj78kVRFWX5R7sAsoxiRl84C4XLhJXTznGC+IWL89XmW6OUcecB drYnDb+Rn572VoOP4DZt2+BEo10bOEoeOR/QSlamv9wqvvYxhz5hAAQL7jnd5TDog7AX B20sSb2otTc+rHjTHvw/F5TUig0HgtBWd/+SZ4UvGxToxt6O+AiQuUGAhjIrnPKoDnKl PCr9J8OrDLHsPaFDppl2S6qHZQTPzpEwHcaVv5FeiBZ7hmIEq4OYRYk8kK/iM6SiGgsn q0rIPSvixWeEXsCRUtVZJEsB1rvf0IO0XeAphbX6aLMWx6+F35lDAPcjMD0wY5NT2SD9 Kuew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=0r/FIboowOMffnn3uOxi2mjVQbSf7/slYByWqohP2bg=; b=nRSxffRPLO16Aj/m0VNJxei5Gk/EyUNr2UCyLIKyO/iOBVlc9xhJb67sWDYDceSNJh GYzY3+eWHfqsEBLxhZeJPJVcVcbJ6jJ50GecRkUJgm2K9QggIJNX1q4MmRmA4pkB+q0z wP3lHnRKsw9SkKtDAbRIaB6nFpsIWbvrmGc8HOlePqjkozVeoMlVAqn8dslUBaGFGPc6 BIKwLiNrm9ooZ9MVuOSWbjfS0ujXFEmggiYyGuJ1C/udjyNsRTUGQZO/9fqDOljX73Dl LqSa0qCL/gM3V5azS8hCIYoFvfEBl6CljG2nz3pTDj6UtS756qYbqhFMKvDLs+RhLQ6M L2aQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a12si267525pfd.581.2017.10.19.23.34.40; Thu, 19 Oct 2017 23:34:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751559AbdJTGdg (ORCPT + 99 others); Fri, 20 Oct 2017 02:33:36 -0400 Received: from smtp.nue.novell.com ([195.135.221.5]:50611 "EHLO smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751061AbdJTGde (ORCPT ); Fri, 20 Oct 2017 02:33:34 -0400 Received: from linux-l9pv.suse (NK60-244-124-125.vdslpro.static.apol.com.tw [60.244.124.125]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Fri, 20 Oct 2017 08:33:29 +0200 Date: Fri, 20 Oct 2017 14:33:20 +0800 From: joeyli To: David Howells Cc: linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, matthew.garrett@nebula.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, jforbes@redhat.com Subject: Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down Message-ID: <20171020063320.GL3285@linux-l9pv.suse> References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, Thanks for you send our this series. On Thu, Oct 19, 2017 at 03:50:55PM +0100, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells I have reviewed and tested this patch. Please feel free to add: Reviewed-by: "Lee, Chun-Yi" Thanks a lot! Joey Lee > --- > > kernel/module.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/module.c b/kernel/module.c > index de66ec825992..3d9a3270c179 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags) > } > > /* Not having a signature is only an error if we're strict. */ > - if (err == -ENOKEY && !sig_enforce) > + if (err == -ENOKEY && !sig_enforce && > + !kernel_is_locked_down("Loading of unsigned modules")) > err = 0; > > return err; > > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html From 1581705993536835286@xxx Thu Oct 19 16:59:42 +0000 2017 X-GM-THRID: 1581705993536835286 X-Gmail-Labels: Inbox,Category Forums