Re: Should we automatically generate a module signing key at all?

From: David Woodhouse
Date: Tue May 19 2015 - 03:42:28 EST


On Mon, 2015-05-18 at 17:51 -0700, Andy Lutomirski wrote:
> I think we should get rid of the idea of automatically generated signing
> keys entirely. Instead I think we should generate, at build time, a
> list of all the module hashes and link that into vmlinux.

How many module hashes can you have hard-coded into the image, before
all that (non-compressible, I hope!) data ends up being larger than the
'public key crud'?

If you really wanted to make the public key version minimal, I bet you
could rip out the X.509 support and make it *just* check that the module
is signed by a single specified RSA public key. We're fairly certain to
have a hash algorithm in the kernel already, and all we really need on
top of that is RSA-encrypt â for which there are other uses, too.

> Also, this scheme is compatible with deterministic builds, whereas the
> current scheme is fundamentally broken if you try to deterministically
> build a kernel without trusting some key issuer.

Well, if you're just trying to check that you can reproduce the previous
kernel then you don't need the private key at all. You don't get to
reproduce the *signing* step from scratch; all you can do is validate
that the previously-generated signature is still correct. But you can
reproduce the *compilation*.

--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/