Re: [PATCH 21/21] MODSIGN: Apply signature checking to modules on module load [ver #3]
From: Rusty Russell
Date: Fri Dec 09 2011 - 07:06:23 EST
On Fri, 02 Dec 2011 18:46:51 +0000, David Howells <dhowells@xxxxxxxxxx> wrote:
> Signed modules may be safely stripped as the signature only covers those parts
> of the module the kernel actually uses and any ELF metadata required to deal
> with them. Any necessary ELF metadata that is affected by stripping is
> canonicalised by the sig generator and the sig checker to hide strip effects.
>
> This permits the debuginfo to be detached from the module and placed
> in another spot so that gdb can find it when referring to that module
> without the need for multiple signed versions of the module. Such is
> done by rpmbuild when producing RPMs.
>
> It also permits the module to be stripped as far as possible for when modules
> are being reduced prior to being included in an initial ramdisk composition.
And adds a great deal of code in a supposedly security-sensitive path to
achieve it.
How about simply append a signature to the module? That'd be about 20
lines of code to carefully check the bounds of the module to figure out
where the signature is. You could even allow multiple signatures, then
have one for stripped, and one for non-stripped versions.
Sure, you now need to re-append that after stripping, but that's not the
kernel's problem.
Cheers,
Rusty.
PS. Yay for finding out about module patches via LWN! How would you
get this in without my ack, FFS?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/