Re: [PATCH v3 0/3][RESEND] modsign enhancement

From: Jia Zhang
Date: Tue Mar 27 2018 - 21:02:39 EST




On 2018/3/28 äå6:11, Jessica Yu wrote:
> +++ Jia Zhang [24/03/18 10:59 +0800]:
>> This patch series allows to disable module validity enforcement
>> in runtime through the control switch located in securityfs.
>>
>> In order to keep /sys/module/module/parameters/sig_enforce simple,
>> the disablement switch is located at
>> /sys/kernel/security/modsign/disable_enforce.
>>
>> Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to
>> test this control switch.
>>
>> # cat /sys/module/module/parameters/sig_enforce
>> N
>> # echo 1 > /sys/module/module/parameters/sig_enforce
>> # cat /sys/module/module/parameters/sig_enforce
>> Y
>> # echo -n 0 > no_sig_enforce
>> # openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \
>> ÂÂ -inkey <system_trusted_key> -signer <cert> -outform der \
>> ÂÂ -out /sys/kernel/security/modsign/disable_enforce
>> # cat /sys/module/module/parameters/sig_enforce
>> N
>
> I'm not convinced we need this. And neither the use case nor the
> motivation is explained in the cover letter :-(
>
> The way I see it - the only time you'd actually use this is in the
> situation where you have *already* enabled sig_enforce, and then later
> you change your mind - meaning you wanted to load unsigned modules
> after all. And if you ever plan on loading unsigned modules, why would
> you have enabled sig_enforce in the first place? If you want to keep

Similar SELinux, this is just providing a runtime switch to disable
modsign temporarily in a safer way. At least it is cannot be simply
disabled.

Thanks,
Jia

> the option of loading unsigned modules, don't have sig_enforce or
> CONFIG_MODULE_SIG_FORCE enabled.
>
> [ CC'd Rusty in case he has some thoughts on this ]
>
> Jessica