Re: [PATCH] Allow automatic kernel taint on unsigned module load to be disabled

[Rusty Russell]

Matthew Garrett <mjg59@xxxxxxxxxx> writes:
> On Sat, Aug 5, 2017 at 11:54 PM, Rusty Russell <rusty@xxxxxxxxxxxxxxx> wrote:
>> Matthew Garrett <mjg59@xxxxxxxxxx> writes:
>>> Distributions may wish to provide kernels that permit loading of
>>> unsigned modules based on certain policy decisions.
>>
>> Sorry, that's way too vague to accept this patch.
>>
>> So I'm guessing a binary module is behind this vagueness.  If you want
>> some other method than signing to vet modules, please do it in
>> userspace.  You can do arbitrary things that way...
>
> Binary modules will still be tainted by the license checker. The issue
> is that if you want to enforce module signatures under *some*
> circumstances, you need to build with CONFIG_MODULE_SIG

Not at all!  You can validate them in userspace.

> but that
> changes the behaviour of the kernel even when you're not enforcing
> module signatures. The same kernel may be used in environments where
> you can verify the kernel and environments where you can't, and in the
> latter you may not care that modules are unsigned. In that scenario,
> tainting doesn't buy you anything.

With your patch, you don't get tainting in the environment where you can
verify.

You'd be better adding a sysctl or equiv. to turn off force loading, and
use that in your can-verify system.

Cheers,
Rusty.