Re: MODSIGN without RTC?

From: Alexander Holler
Date: Thu Feb 07 2013 - 05:56:47 EST

Next message: Jonghwa Lee: "[PATCH v2] rtc: max8997: Add driver for max8997 rtc."
Previous message: Florian Westphal: "Regression, bisected: hyperv shutdown panics guest"
In reply to: Alexander Holler: "Re: MODSIGN without RTC?"
Next in thread: Olaf Titz: "Re: MODSIGN without RTC?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am 07.02.2013 08:01, schrieb Alexander Holler:

Am 07.02.2013 07:42, schrieb Geert Uytterhoeven:
On Thu, Feb 7, 2013 at 2:06 AM, Alexander Holler <holler@xxxxxxxxxxxxx> wrote:
Am 07.02.2013 00:42, schrieb Alexander Holler:
I wanted to try out MODSIGN with kernel 3.7.6 and I've just got hit by:

[ 1.346445] X.509: Cert 6a23533cec71c4c52a1618fb4d830e06aa90474e is
not yet valid

The reason is likely that the (ARM) device in question doesn't have a
RTC (oh, that topic again ;) ) and gets it's time on boot through NTP.

The used certificate was generated automatically. Having a look at it,
the following is shown:

Validity
Not Before: Feb 6 02:56:46 2013 GMT
Not After : Jan 13 02:56:46 2113 GMT

Without having thought about possible security problems, my first idea
would be to let the validity start at 1970. As I never did such I never
had thought about possible implications when doing such (e.g. I don't
know if someone checks the start date for plausabilitiy)

Another solution would be to retry loading of the certificate if the
time gets set (and e.g. differs more than a year).

Has someone already thought about how to solve that problem? Or did
everyone use sane systems which have a (working) RTC?

Another option would be to make a configure option to just ignore the date.

Or an option to auto-advance the clock to the "Not Before" date if needed...

I'm not sure if I would like to use MODSIGN when I have to fear that the
machine wouldn't start when the RTC fails or got set to a wrong date.

Hmm, nice failure mode...

And the dream of every vendor, finally a working expiration date. And a
nice TV-B-Gone, just feed a wrong date once. ;)

I've digged a bit around about how to disable the date check, but then decided that I shouldn't try to implement that (CONFIG_MODSIGN_IGNORE_DATES) because of missing knowledge about the (usage of) crypto-api.

I think adding attributes to the key and the parsed key like bool ingore_dates and bool parsed_dates_invalid might be an option. Using such x509_key_preparse() could just set parsed_dates_invalid instead of returning with -EKEYREJECTED or -EKEYEXPIRED, if it encounters invalid dates.

Regards,

Alexander

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jonghwa Lee: "[PATCH v2] rtc: max8997: Add driver for max8997 rtc."
Previous message: Florian Westphal: "Regression, bisected: hyperv shutdown panics guest"
In reply to: Alexander Holler: "Re: MODSIGN without RTC?"
Next in thread: Olaf Titz: "Re: MODSIGN without RTC?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]