Re: [GIT PULL] Security subsystem changes for 4.3
From: Linus Torvalds
Date: Tue Sep 08 2015 - 16:32:55 EST
On Mon, Aug 31, 2015 at 5:00 PM, James Morris <jmorris@xxxxxxxxx> wrote:
> Highlights:
> o PKCS#7 support added to support signed kexec, also utilized for module
> signing.
So when testing this, I realized that when somebody tries to load a
module with an invalid key, there doesn't seem to be any logs left
about that.
I don't think this is new, it's just that the certificate generation
changes made me test loading a module with the wrong cert, and while
module loading itself failed gracefully and correctly with ENOKEY
("Required key not available"), I also ended up checking dmesg,
because I - clearly incorrectly - thought that we'd warn the sysadmin
about this too).
So I think that module loading failures due to lack of keys really
should raise a few flags. Maybe the system is secure from some
attacks, but you'd still want to know that somebody tried to do
something fishy.
We *do* end up warning ("module verification failed") and tainting the
kernel if we end up loading the module despite the key failing, but
the situation I'm talking about is the "sig_enforce" case, which just
causes a module loading failure with no system warning.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/