Re: Should we automatically generate a module signing key at all?

[David Howells]

Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:

> The actual runtime code needed to implement a hash tree solution is
> maybe twenty lines.  The bzImage will be smaller,

But the initramfs image will be bigger because it will have to carry the
entire module hash list just in case any particular module needs to get loaded
from the initramfs.  You have to carry the entire hash set so that you can
hash it and compare against the one hash in the vmlinux file.

And that doesn't include the issue of hashing the firmware blobs you might
need.

> With your proposal, I need to trust that whoever built the actual
> running kernel image really did throw away the key.  If they didn't,
> then under whatever threat model requires that I enable module
> verification, I'm screwed -- the bad guy has the private key.

Each private key is used for one single kernel, so if they steal one, you can
blacklist it if you have the capability (eg. UEFI) and change your kernel.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/