Re: [GIT PULL] Crypto keys and module signing

From: Arkadiusz Miśkiewicz
Date: Sat Dec 10 2011 - 06:42:44 EST


On Wed, Dec 7, 2011 at 3:47 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
>
> Hi James,
>
> Could you pull my module signing code into the security tree?  The patches can
> be viewed here:
>
> http://git.kernel.org/?p=linux/kernel/git/dhowells/linux-modsign.git;a=shortlog;h=refs/heads/devel

If I understand it is not possible to sign modules after they are
built and load keys without actually
rebuilding kernel?

For distro kernel the public and secret keys have to be available
publicly, right? Otherwise people
using distro kernels won't be able to build own signed modules for use
with that distro kernel.

Then I as admin have to rebuild the kernel to get my own keys in and
prevent other, "unapproved" modules
to be loaded. Correct?

Would be nice if the modules could be signed/re-signed after being
build and prehaps kernel could
load keys from initramfs? Then everyone could use own keys on distro
kernels without need to rebuild
the thing.

I think I'm missing something :)

--
Arkadiusz Miśkiewicz
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/