Re: Fw: signed kernel modules?
From: Rusty Russell (IBM)
Date: Mon Oct 11 2004 - 17:39:51 EST
On Tue, 2004-10-12 at 01:15, David Woodhouse wrote:
> On Mon, 2004-10-11 at 16:11 +0100, David Howells wrote:
> > > Sign the whole thing. Use a signature format which doesn't suck (ASN1
> > > parsing in the kernel? Hmm...). Have your build system spit out two
> > > RPMs, one with full debug modules, and one without. This is not rocket
> > > science.
> >
> > You make it sound so simple...
> >
> > I've adapted my patches to sign the whole thing
>
> Why on earth would you want to sign the whole thing? As you've observed,
> that means the signature gets broken when the debug info is stripped,
> etc. Sign just what the kernel actually _looks_ at, nothing more.
Welcome to the debate David. I agree that you only need to sign the
things that the kernel looks at, unfortunately, there's not a nice clear
line: for example the headers change when you strip the module, and they
need to be signed.
Trying to work around it just gets you into more and more complexity:
you can't trust the module until you've checked the signature, and when
you don't trust the module you have to write paranoid code, which is
very ugly and causes bloat. David Howells just sidestepped this and
trusted the module headers, and so I refused his patch.
> > [*] You're still wrong, of course, but that's your prerogative:-)
>
> That doesn't mean you have to pander to him.
Nor do I have to re-iterate the points from the discussion for someone
who hasn't bothered reading it. But I did.
Rusty.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/