Re: [PATCH v3 0/3][RESEND] modsign enhancement

From: Jessica Yu
Date: Tue Mar 27 2018 - 18:11:48 EST


+++ Jia Zhang [24/03/18 10:59 +0800]:
This patch series allows to disable module validity enforcement
in runtime through the control switch located in securityfs.

In order to keep /sys/module/module/parameters/sig_enforce simple,
the disablement switch is located at
/sys/kernel/security/modsign/disable_enforce.

Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to
test this control switch.

# cat /sys/module/module/parameters/sig_enforce
N
# echo 1 > /sys/module/module/parameters/sig_enforce
# cat /sys/module/module/parameters/sig_enforce
Y
# echo -n 0 > no_sig_enforce
# openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \
-inkey <system_trusted_key> -signer <cert> -outform der \
-out /sys/kernel/security/modsign/disable_enforce
# cat /sys/module/module/parameters/sig_enforce
N

I'm not convinced we need this. And neither the use case nor the
motivation is explained in the cover letter :-(

The way I see it - the only time you'd actually use this is in the
situation where you have *already* enabled sig_enforce, and then later
you change your mind - meaning you wanted to load unsigned modules
after all. And if you ever plan on loading unsigned modules, why would
you have enabled sig_enforce in the first place? If you want to keep
the option of loading unsigned modules, don't have sig_enforce or
CONFIG_MODULE_SIG_FORCE enabled.

[ CC'd Rusty in case he has some thoughts on this ]

Jessica