Re: [PATCH] MODSIGN: Don't taint unless signature enforcing is enabled

From: Rusty Russell
Date: Sun Jan 06 2013 - 20:17:13 EST

Josh Boyer <jwboyer@xxxxxxxxxx> writes:
> With module signing enabled but not in enforcing mode, we don't consider
> unsigned modules to be an error. However, we only mark sig_ok as true if
> a signature verified. This causes the module to be tainted with the

Wait, what? So, what does CONFIG_MODULE_SIG=y with MODULE_SIG_FORCE=n
mean? Why not just call that CONFIG_USELESS_BLOAT? :)

> That in turn taints the kernel, which also disables lockdep.

Yeah, lockdep is oversensitive. This has been argued before, take it up
with Ingo. Perhaps we need a taint flag bit to indicate that lockdep
should actually be disabled?

> Tainting the module and kernel when we don't consider something to be an
> error seems excessive. This marks sig_ok as true if we aren't in enforcing
> mode.

If we were to do this, please follow Plauger's Law: "Don't patch bad
code - rewrite it."

In this case, rip out the now-useless sig_ok field.


> diff --git a/kernel/module.c b/kernel/module.c
> index 250092c..a50172e 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2443,8 +2443,10 @@ static int module_sig_check(struct load_info *info)
> if (err < 0 && fips_enabled)
> panic("Module verification failed with error %d in FIPS mode\n",
> err);
> - if (err == -ENOKEY && !sig_enforce)
> + if (err == -ENOKEY && !sig_enforce) {
> + info->sig_ok = true;
> err = 0;
> + }
> return err;
> }
> --
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at