Re: [PATCH 00/23] Crypto keys and module signing
From: Rusty Russell
Date: Mon Jun 04 2012 - 21:07:35 EST
On Mon, 4 Jun 2012 09:38:43 -0400, Josh Boyer <jwboyer@xxxxxxxxx> wrote:
> On Sun, Jun 3, 2012 at 9:16 PM, Rusty Russell <rusty@xxxxxxxxxxxxxxx> wrote:
> > Mangling a module after it is signed is very odd, and odd things aren't
> > nice for security features. ÂThat's how we got here; I'm trying to move
> > the oddness out of the verification path.
>
> It's unfortunate, yes. The biggest case I can think of is splitting
> the debug symbols out of the modules after they are built (David might
> have other cases). Perhaps we could upstream that as well and
> organize it such that the modules are built, split for debuginfo, and
> then signed?
That was my original suggestion. Just prepare all the module variants
at build time, and sign them all.
See: https://lkml.org/lkml/2011/12/10/16
Cheers,
Rusty.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/