Re: [PATCHv7 0/3] Kernel Live Patching

From: Jiri Kosina
Date: Tue Dec 16 2014 - 15:14:45 EST


On Tue, 16 Dec 2014, Balbir Singh wrote:

> Could you describe what this does to signing? I presume the patched
> module should cause a taint on module signing?

Hmm, why should it?

- if module signatures are enforced on the system in question, the module
with the patch itself has to be signed as well, otherwise it will not be
loaded by the kernel at all in the first place

- after the trusted (signed) module with the patch is loaded, this is in
principle no way different than other self-modifications the kernel is
performing all the time (static keys, alternatives, kprobes, ...)

Yes, we are tainting a kernel, but for reasons completely unrelated to
module signing.

I actually think that module signing doesn't play any role whatsoever in
what this patchset is doing.

Thanks,

--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/