Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp306787pxb; Wed, 25 Aug 2021 03:55:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGxOo+EGrdOt6tPBXpiKBAsztezkst13m7NT8oUV8MJeV70+dg7GW6MUsLWvFGusvPTLVr X-Received: by 2002:a17:906:1382:: with SMTP id f2mr37992458ejc.536.1629888927880; Wed, 25 Aug 2021 03:55:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629888927; cv=none; d=google.com; s=arc-20160816; b=gE0bzVbc9UOTW95S2KjyOpgJpudSFsenTeK+pNtRm3HovjC44e6oG7Is77sM0gu6Fp GVks+MUVrck2zdS29qtM10HLEEC3g+7dBpIdVeVTEvTu4LmKNNkQW16/GRiydML8PFz1 wAl0ZAYBrXCTrxnplRMF9LRff+dItRRgKQnsMMcgacze0HETeUAcooiW7pWlw6zyaEQ6 +AlrMCSW6QbhQahSsTj3y2f1suURz4K6yXlNER8xNE6BfiDTZaYKkSTLbNitKYZTb6ud ZiECa9k+Q6WunOelAlXN+MSKgyM13pHMHDLrcd1r7OS1ts0PHuAUCeTuLjmZBh+C+VSp bKbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=WDW4n6VmGmu0Gv83VfUSTSNVXS6bNfNXOIRuFF+tE68=; b=ldM+QBUDgYxSbMxWC48soIE5TY0L8bAd2zqTpJP/w0cl+oKsoOltz4Ow8spw/GfZFA bD+0NEozD0ED6NPBwTPHBjvdCRua4sA/6puzfIWRNXveBZJBPIWCmeyEO04uCFjL8Qye rgdZbXpceczNDm+/4/0s0u/cU4pTWLMD60QDCrtS/ZjPSPczHKvf0/hmqbg7jKsW4yIN IFINeKK20P8eO9jxh0EX1ji1JOAnwDcf5cwYEZCFgj5uBLCfBBULMDFcwlTXuldHuRQ/ oSqETZMFzYxNvpYWFgyewXG64ZWPiEC3+yhImUcPmp5Aw30/ltA9RVGhylySp7VNSb0C t+zw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z10si19071703eje.713.2021.08.25.03.54.55; Wed, 25 Aug 2021 03:55:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237388AbhHYKys (ORCPT + 99 others); Wed, 25 Aug 2021 06:54:48 -0400 Received: from smtp1.de.adit-jv.com ([93.241.18.167]:55198 "EHLO smtp1.de.adit-jv.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236560AbhHYKyr (ORCPT ); Wed, 25 Aug 2021 06:54:47 -0400 X-Greylist: delayed 453 seconds by postgrey-1.27 at vger.kernel.org; Wed, 25 Aug 2021 06:54:47 EDT Received: from hi2exch02.adit-jv.com (hi2exch02.adit-jv.com [10.72.92.28]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp1.de.adit-jv.com (Postfix) with ESMTPS id 8291E3C0A7C; Wed, 25 Aug 2021 12:46:26 +0200 (CEST) Received: from lxhi-065 (10.72.94.13) by hi2exch02.adit-jv.com (10.72.92.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14; Wed, 25 Aug 2021 12:46:26 +0200 Date: Wed, 25 Aug 2021 12:46:20 +0200 From: Eugeniu Rosca To: Johannes Berg , Johannes Berg , CC: Eugeniu Rosca , Eugeniu Rosca Subject: Re: [PATCH 4/4] cfg80211: implement regdb signature checking Message-ID: <20210825104620.GA3561@lxhi-065> References: <20171006135532.29550-1-johannes@sipsolutions.net> <20171006135532.29550-5-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20171006135532.29550-5-johannes@sipsolutions.net> User-Agent: Mutt/1.5.24 (2015-08-30) X-Originating-IP: [10.72.94.13] X-ClientProxiedBy: hi2exch02.adit-jv.com (10.72.92.28) To hi2exch02.adit-jv.com (10.72.92.28) Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Dear Johannes, Dear Linux wireless, On Fr, Okt 06, 2017 at 03:55:32 +0200, Johannes Berg wrote: > From: Johannes Berg > > Currently CRDA implements the signature checking, and the previous > commits added the ability to load the whole regulatory database > into the kernel. > > However, we really can't lose the signature checking, so implement > it in the kernel by loading a detached signature (regulatory.db.p7s) > and check it against built-in keys. > > TODO > - add Seth's key, obviously > > Signed-off-by: Johannes Berg > --- > net/wireless/Kconfig | 30 +++++++++++ > net/wireless/Makefile | 22 ++++++++ > net/wireless/certs/none.x509 | 0 > net/wireless/reg.c | 121 ++++++++++++++++++++++++++++++++++++++++++- > net/wireless/reg.h | 8 +++ > 5 files changed, 180 insertions(+), 1 deletion(-) > create mode 100644 net/wireless/certs/none.x509 > > diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig > index f050030055c5..da91bb547db3 100644 > --- a/net/wireless/Kconfig > +++ b/net/wireless/Kconfig > @@ -83,6 +83,36 @@ config CFG80211_CERTIFICATION_ONUS > you are a wireless researcher and are working in a controlled > and approved environment by your local regulatory agency. > > +config CFG80211_REQUIRE_SIGNED_REGDB > + bool "require regdb signature" if CFG80211_CERTIFICATION_ONUS > + default y > + select SYSTEM_DATA_VERIFICATION Since v4.15 commit 90a53e4432b122 ("cfg80211: implement regdb signature checking"), CFG80211_REQUIRE_SIGNED_REGDB is enabled unconditionally and users have no flexibility to disable it when CFG80211_CERTIFICATION_ONUS is unset (since the visibility of CFG80211_REQUIRE_SIGNED_REGDB depends on CFG80211_CERTIFICATION_ONUS). Based on the documentation of CFG80211_CERTIFICATION_ONUS, this option is supposed to stay disabled most of the times, hence users have to live with CFG80211_REQUIRE_SIGNED_REGDB=y and SYSTEM_DATA_VERIFICATION=y enabled in their kernel, which consumes a few tens of KB in the uncompressed binary Image (particularly on arm64). A few tens of KB is not much, but on embedded systems it matters. Can you please confirm Wireless subsystem requires CFG80211_REQUIRE_SIGNED_REGDB=y and SYSTEM_DATA_VERIFICATION=y regardless of the status of CFG80211_CERTIFICATION_ONUS ? Thanks, Eugeniu