Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

From: Matthew Garrett
Date: Fri Mar 08 2019 - 18:31:03 EST

Next message: Nathan Chancellor: "Re: [PATCH] xfs: clean up xfs_dir2_leafn_add"
Previous message: David Miller: "Re: [PATCH] net: ethernet: sun: Zero initialize class in default case in niu_add_ethtool_tcam_entry"
In reply to: James Morris: "Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down"
Next in thread: James Morris: "Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 8, 2019 at 3:00 PM James Morris <jmorris@xxxxxxxxx> wrote:
>
> On Wed, 6 Mar 2019, Matthew Garrett wrote:
>
> > From: David Howells <dhowells@xxxxxxxxxx>
> >
> > If the kernel is locked down, require that all modules have valid
> > signatures that we can verify.
>
> Perhaps note that this won't cover the case where folk are using DM-Verity
> with a signed root hash for verifying kernel modules.

Mm. I can't see a terribly good way of doing this generically -
loadpin gives no indication to the module loading code that it comes
from a trusted source. Would making the lockdown/module signature
enforcement a separate config option be reasonable?

Next message: Nathan Chancellor: "Re: [PATCH] xfs: clean up xfs_dir2_leafn_add"
Previous message: David Miller: "Re: [PATCH] net: ethernet: sun: Zero initialize class in default case in niu_add_ethtool_tcam_entry"
In reply to: James Morris: "Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down"
Next in thread: James Morris: "Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]