Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

From: James Morris
Date: Fri Mar 08 2019 - 23:45:45 EST

Next message: Kangjie Lu: "[PATCH] iio: max9611: fix a NULL pointer dereference"
Previous message: Kangjie Lu: "[PATCH] hid: logitech: check the return value of create_singlethread_workqueue"
In reply to: Matthew Garrett: "Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 8 Mar 2019, Matthew Garrett wrote:

> On Fri, Mar 8, 2019 at 3:00 PM James Morris <jmorris@xxxxxxxxx> wrote:
> >
> > On Wed, 6 Mar 2019, Matthew Garrett wrote:
> >
> > > From: David Howells <dhowells@xxxxxxxxxx>
> > >
> > > If the kernel is locked down, require that all modules have valid
> > > signatures that we can verify.
> >
> > Perhaps note that this won't cover the case where folk are using DM-Verity
> > with a signed root hash for verifying kernel modules.
>
> Mm. I can't see a terribly good way of doing this generically -
> loadpin gives no indication to the module loading code that it comes
> from a trusted source. Would making the lockdown/module signature
> enforcement a separate config option be reasonable?

I was just suggest documenting this.

--
James Morris
<jmorris@xxxxxxxxx>

Next message: Kangjie Lu: "[PATCH] iio: max9611: fix a NULL pointer dereference"
Previous message: Kangjie Lu: "[PATCH] hid: logitech: check the return value of create_singlethread_workqueue"
In reply to: Matthew Garrett: "Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]