Re: Fw: signed kernel modules?

From: Rusty Russell (IBM)
Date: Wed Oct 13 2004 - 16:30:01 EST


On Wed, 2004-10-13 at 19:16, David Woodhouse wrote:
> On Wed, 2004-10-13 at 10:11 +1000, Rusty Russell (IBM) wrote:
> > Here's the level of paranoia required for the simplest case, that of
> > signing the entire module. The last Howells patches I saw didn't even
> > do any of *this*, let alone checking the rest of the module:
>
> We agree that the checks you cite are required. In fact we should have
> been doing a lot of these checks even _before_ we thought about signing
> modules.

No. What a complete and utter waste of time and code! At the moment,
we do minimum checks; this is because we don't even try to keep out
malicious code. At the moment, flip and random bit in a module and
you'll get weird behaviour. We don't check for that because we can't:
it's most likely in data or text anyway.

Now. if you're adding a signature, I insist that it should do detect all
relevant changes. Calling David's a "work in progress" and that "I'm
sure these problems will be fixed" doesn't ignore the fact that he has
resisted fixing them so far. He just doesn't seem to understand: could
you explain it to him please?

You are arguing that he should add elaborate checks, with care for those
arch-specific hooks and the requisite paranoia. I'm arguing that he
should just sum the whole module and be done. My method is far simpler,
with the cost that stripping the module requires a signature update.

If you really insist that the complexity is worth it, I want to see the
code. ALL the code. Because at the moment you're cheating.

Rusty.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/