Re: [RFC PATCH] Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE

From: Mathieu Desnoyers
Date: Sun Feb 16 2014 - 18:58:47 EST


----- Original Message -----
> From: "Rusty Russell" <rusty@xxxxxxxxxxxxxxx>
> To: "Steven Rostedt" <rostedt@xxxxxxxxxxx>
> Cc: "Ingo Molnar" <mingo@xxxxxxxxxx>, "Mathieu Desnoyers" <mathieu.desnoyers@xxxxxxxxxxxx>,
> linux-kernel@xxxxxxxxxxxxxxx, "Ingo Molnar" <mingo@xxxxxxxxxx>, "Thomas Gleixner" <tglx@xxxxxxxxxxxxx>, "David
> Howells" <dhowells@xxxxxxxxxx>, "Greg Kroah-Hartman" <gregkh@xxxxxxxxxxxxxxxxxxx>
> Sent: Thursday, February 13, 2014 7:51:19 PM
> Subject: Re: [RFC PATCH] Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE
>
> Steven Rostedt <rostedt@xxxxxxxxxxx> writes:
> > On Thu, 13 Feb 2014 13:54:42 +1030
> > Rusty Russell <rusty@xxxxxxxxxxxxxxx> wrote:
> >
> >
> >> I'm ambivalent towards out-of-tree modules, so not tempted unless I see
> >> a bug report indicating a concrete problem. Then we can discuss...
> >
> > As I replied in another email, this is a concrete problem, and affects
> > in-tree kernel modules.
> >
> > If you have the following in your .config:
> >
> > CONFIG_MODULE_SIG=y
> > # CONFIG_MODULE_SIG_FORCE is not set
> > # CONFIG_MODULE_SIG_ALL is not set
>
> This means you've set the "I will arrange my own module signing" config
> option:
>
> Sign all modules during make modules_install. Without this option,
> modules must be signed manually, using the scripts/sign-file tool.
>
> comment "Do not forget to sign required modules with scripts/sign-file"
> depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
>
> Then you didn't do that. You broke it, you get to keep both pieces.
>
> Again: is there an actual valid use case?

One use-case where this is biting us for in-tree modules is when a user or
developer recompile modules against a distribution kernel which has
CONFIG_MODULE_SIG set (and possibly CONFIG_MODULE_SIG_ALL), but do not
recompile the kernel per se. That user/developer might want to try out a
local modification to one of his modules (which is something within the
user's rights given by the GPL), or want to add tracepoints to a module to
figure out what is going wrong. It is then not possible to sign the
recompiled modules, since it makes no sense to expect distribution vendors
to ever distribute their private signing keys; that would defeat the whole
point of signing.

In those cases, when loaded in a kernel that is not enforcing module
signature, the recompiled modules will taint the kernel and modules with
"TAINT_FORCED_MODULE" (which is a lie: the modules can be loaded without
--force), and the tracepoints sitting in that module are silently ignored
(which is a bug).

Thanks,

Mathieu

--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/