Re: [PATCH RFC 2/2] module: Introduce hash-based integrity checking
From: Luis Chamberlain
Date: Wed Jan 08 2025 - 14:08:22 EST
On Sat, Jan 04, 2025 at 07:30:39AM +0100, Thomas Weißschuh wrote:
> Hi Luis,
>
> On 2025-01-03 17:37:52-0800, Luis Chamberlain wrote:
> > On Wed, Dec 25, 2024 at 11:52:00PM +0100, Thomas Weißschuh wrote:
> > > diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
> > > index 7b329057997ad2ec310133ca84617d9bfcdb7e9f..57d317a6fa444195d0806e6bd7a2af6e338a7f01 100644
> > > --- a/kernel/module/Kconfig
> > > +++ b/kernel/module/Kconfig
> > > @@ -344,6 +344,17 @@ config MODULE_DECOMPRESS
> > >
> > > If unsure, say N.
> > >
> > > +config MODULE_HASHES
> > > + bool "Module hash validation"
> > > + depends on !MODULE_SIG
> >
> > Why are these mutually exclusive? Can't you want module signatures *and*
> > this as well? What distro which is using module signatures would switch
> > to this as an alternative instead? The help menu does not clarify any of
> > this at all, and neither does the patch.
>
> The exclusivity is to keep the initial RFC patch small.
> The cover letter lists "Enable coexistence with MODULE_SIG" as
> a further improvement.
Looking forward to that.
> In general this MODULE_HASHES would be used by distros which are
> currently using the build-time generated signing key with
> CONFIG_MODULE_SIG_KEY=certs/signing_key.pem.
The Kconfig needs to describe this, otherwise no one would sensibly
enable this.
> More concretely the Arch Linux team has expressed interest.
Interest sure, but will it be used? If not there is no point to this.
What do the other distro have to think about this?
Luis