Re: Allow automatic kernel taint on unsigned module load to be disabled

[Jessica Yu]

+++ Matthew Garrett [14/08/17 12:50 -0400]:
> On Thu, Aug 10, 2017 at 4:43 PM, Jessica Yu <jeyu@xxxxxxxxxx> wrote:
> > I think I'm missing some context here. Could you provide some more
> > background and help me understand why we want to go into all this
> > trouble just to avoid a taint?  Was there a recent bug report, mailing
> > list discussion, etc. that spurred you to write this patch? I'm not
> > understanding why this particular taint is undesirable.
>
> Hi Jessica,
>
> Does the version in https://lkml.org/lkml/2017/8/7/764 make this clearer?

Hi Matthew,

Sorry for the delay, I'm currently on leave traveling.

I understand what the patch is doing, what I don't yet understand is
_why_ you would want to remove the unsigned module taint when
CONFIG_MODULE_SIG is enabled. Which distributions are asking for this
exactly, and for what use cases? I find it a bit contradictory to have
CONFIG_MODULE_SIG enabled and at the same time expect the kernel to
behave as if the option wasn't enabled.

I would really prefer not to add extra code to remove what is cosmetic
and still has informational/debug value. If the unsigned module taint
is for whatever reason that bothersome, why can't distro(s) carry a
2-line patch removing the message and taint for those particular
setups where signatures are considered "irrelevant" even with
CONFIG_MODULE_SIG=y?

Thanks,

Jessica