Received: by 10.223.164.221 with SMTP id h29csp4735963wrb;
        Thu, 19 Oct 2017 23:34:55 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+SEBDyJzxhqEWKmKJbLPO7SFCinIj1eHucqflx/waLDu8pZOkrM+Z0H247N0IBY6DiLuuIK
X-Received: by 10.101.83.12 with SMTP id m12mr3511942pgq.153.1508481294455;
        Thu, 19 Oct 2017 23:34:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1508481294; cv=none;
        d=google.com; s=arc-20160816;
        b=PZdnGccjZogbTJosj78kVRFWX5R7sAsoxiRl84C4XLhJXTznGC+IWL89XmW6OUcecB
         drYnDb+Rn572VoOP4DZt2+BEo10bOEoeOR/QSlamv9wqvvYxhz5hAAQL7jnd5TDog7AX
         B20sSb2otTc+rHjTHvw/F5TUig0HgtBWd/+SZ4UvGxToxt6O+AiQuUGAhjIrnPKoDnKl
         PCr9J8OrDLHsPaFDppl2S6qHZQTPzpEwHcaVv5FeiBZ7hmIEq4OYRYk8kK/iM6SiGgsn
         q0rIPSvixWeEXsCRUtVZJEsB1rvf0IO0XeAphbX6aLMWx6+F35lDAPcjMD0wY5NT2SD9
         Kuew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=0r/FIboowOMffnn3uOxi2mjVQbSf7/slYByWqohP2bg=;
        b=nRSxffRPLO16Aj/m0VNJxei5Gk/EyUNr2UCyLIKyO/iOBVlc9xhJb67sWDYDceSNJh
         GYzY3+eWHfqsEBLxhZeJPJVcVcbJ6jJ50GecRkUJgm2K9QggIJNX1q4MmRmA4pkB+q0z
         wP3lHnRKsw9SkKtDAbRIaB6nFpsIWbvrmGc8HOlePqjkozVeoMlVAqn8dslUBaGFGPc6
         BIKwLiNrm9ooZ9MVuOSWbjfS0ujXFEmggiYyGuJ1C/udjyNsRTUGQZO/9fqDOljX73Dl
         LqSa0qCL/gM3V5azS8hCIYoFvfEBl6CljG2nz3pTDj6UtS756qYbqhFMKvDLs+RhLQ6M
         L2aQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a12si267525pfd.581.2017.10.19.23.34.40;
        Thu, 19 Oct 2017 23:34:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751559AbdJTGdg (ORCPT <rfc822;learnos2017@gmail.com>
        + 99 others); Fri, 20 Oct 2017 02:33:36 -0400
Received: from smtp.nue.novell.com ([195.135.221.5]:50611 "EHLO
        smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751061AbdJTGde (ORCPT
        <rfc822;groupwise-linux-kernel@vger.kernel.org:0:0>);
        Fri, 20 Oct 2017 02:33:34 -0400
Received: from linux-l9pv.suse (NK60-244-124-125.vdslpro.static.apol.com.tw [60.244.124.125])
        by smtp.nue.novell.com with ESMTP (TLS encrypted); Fri, 20 Oct 2017 08:33:29 +0200
Date:   Fri, 20 Oct 2017 14:33:20 +0800
From:   joeyli <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk,
        linux-efi@vger.kernel.org, matthew.garrett@nebula.com,
        gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
        jforbes@redhat.com
Subject: Re: [PATCH 03/27] Enforce module signatures if the kernel is locked
 down
Message-ID: <20171020063320.GL3285@linux-l9pv.suse>
References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk>
 <150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi David,

Thanks for you send our this series.

On Thu, Oct 19, 2017 at 03:50:55PM +0100, David Howells wrote:
> If the kernel is locked down, require that all modules have valid
> signatures that we can verify.
> 
> Signed-off-by: David Howells <dhowells@redhat.com>

I have reviewed and tested this patch. Please feel free to add:

Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>

Thanks a lot!
Joey Lee

> ---
> 
>  kernel/module.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/module.c b/kernel/module.c
> index de66ec825992..3d9a3270c179 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags)
>  	}
>  
>  	/* Not having a signature is only an error if we're strict. */
> -	if (err == -ENOKEY && !sig_enforce)
> +	if (err == -ENOKEY && !sig_enforce &&
> +	    !kernel_is_locked_down("Loading of unsigned modules"))
>  		err = 0;
>  
>  	return err;
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-efi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

From 1581705993536835286@xxx Thu Oct 19 16:59:42 +0000 2017
X-GM-THRID: 1581705993536835286
X-Gmail-Labels: Inbox,Category Forums