Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758709Ab2HQRwd (ORCPT <rfc822;w@1wt.eu>);
	Fri, 17 Aug 2012 13:52:33 -0400
Received: from mail-qc0-f174.google.com ([209.85.216.174]:34412 "EHLO
	mail-qc0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758664Ab2HQRwY (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 17 Aug 2012 13:52:24 -0400
MIME-Version: 1.0
In-Reply-To: <CA+5PVA71aN+OtY4VA6b+VQO-Wg5vVFE0yJE2ORg5bQWoQk+Yqw@mail.gmail.com>
References: <cover.1345055638.git.dmitry.kasatkin@intel.com>
	<2114492cd221edc44622e528d66feeed342d2d34.1345055639.git.dmitry.kasatkin@intel.com>
	<CA+5PVA4qONeO+VqWQX+f87cs6KAdVPCOEEkpRzfo0M+LR6JHSA@mail.gmail.com>
	<CALLzPKbP_9jS2E=AG5gHsHYXEfxXh95j=UvwMfVA3OdgYF28eQ@mail.gmail.com>
	<CA+5PVA6UKvmAb+r2PPtKdDhz5CAWkGihfMS=1nwiO4XpBGrD=g@mail.gmail.com>
	<CALLzPKYKTbWZMpjKvnCJeqXDknTtKPLSYEPky49a5yNm=8CcHw@mail.gmail.com>
	<1345164802.2433.21.camel@falcor.watson.ibm.com>
	<CA+5PVA7ffHv7xOom1SNN8=-qYUQAUnHNXi=TNSX_FcKPUBtgzw@mail.gmail.com>
	<1345223322.2257.75.camel@falcor>
	<CA+5PVA71aN+OtY4VA6b+VQO-Wg5vVFE0yJE2ORg5bQWoQk+Yqw@mail.gmail.com>
Date: Fri, 17 Aug 2012 13:52:23 -0400
Message-ID: <CA+5PVA7peKJQJ4tdk_8iNqnAHC6YrekiNpm3wmtOoM45m_hHNQ@mail.gmail.com>
Subject: Re: [RFC v2 7/7] modsig: build rules and scripts to generate keys and
 sign modules
From: Josh Boyer <jwboyer@gmail.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>, jmorris@namei.org,
        rusty@rustcorp.com.au, dhowells@redhat.com,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset=ISO-8859-1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2086
Lines: 37

On Fri, Aug 17, 2012 at 1:44 PM, Josh Boyer <jwboyer@gmail.com> wrote:
>> I still think the signed_modules_install script, renamed to something
>> like ephemeral_signed_modules_install, is worthwhile and becomes a
>> convience tool for the developer, wanting to use ephemeral keys.  The
>> private key, in Dmitry's updated patches soon to be posted, will be
>> password protected with a random number, that is only accessible to the
>> current shell.
>
> I think the existence of an additional make target for signed modules
> is really confusing.  Particularly when you consider the target still
> exists even if the kernel isn't setup to work with signed modules.  If
> the config options are set, just have 'make modules_install' do it and
> create a key if one doesn't exist (or better yet, have 'make' do it).
>
> Also... password protecting the key that only responds to the current
> shell really sounds like a show-stopper for this being used by distros.
> There is no way a distro is going to be able to type a password in
> during a kernel build.  It completely removes the usability of distros
> that want to use a per-kernel build ephemeral key.  If you're going to
> do this, please wrap it in a kconfig option so the second distro case
> I mentio above is still possible.

Here's a suggestion that might help the discussion.  In the next
revision of the patch set, include a document in Documentation/ that
covers the module signing design, the purposes it's intended to fit,
and a high level description of the various module loading scenarios
(signed, unsigned, signed with a key not in the keyring, etc).  That
way we can at least see at a higher level what the thinking behind the
implemenation is.  I think some of our back and forth (while good!) is
because we see signed modules being used for different purposes.

josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/