linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>,
	David Howells <dhowells@redhat.com>,
	jmorris@namei.org, keyrings@linux-nfs.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [RFC] module: signature infrastructure
Date: Wed, 05 Sep 2012 09:34:37 -0400	[thread overview]
Message-ID: <1346852077.2389.7.camel@falcor> (raw)
In-Reply-To: <871uihl3bx.fsf@rustcorp.com.au>

On Wed, 2012-09-05 at 09:59 +0930, Rusty Russell wrote:
> "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com> writes:
> > Hi,
> >
> > Please read bellow...
> >
> > On Tue, Sep 4, 2012 at 8:55 AM, Rusty Russell <rusty@rustcorp.com.au> wrote:
> >> OK, I took a look at the module.c parts of David and Dmitry's patchsets,
> >> and didn't really like either, but I stole parts of David's to make
> >> this.
> >>
> >> So, here's the module.c part of module signing.  I hope you two got time
> >> to discuss the signature format details?  Mimi suggested a scheme where
> >> the private key would never be saved on disk (even temporarily), but I
> >> didn't see patches.  Frankly it's something we can do later; let's aim
> >> at getting the format right for the next merge window.
> >
> > In our patches key is stored on the disc in encrypted format...
> 
> Oh, I missed that twist.  Thanks for the explanation.
> 
> On consideration, I prefer signing to be the final part of the "modules"
> target rather than modules_install.  I run the latter as root, and that
> is wrong for doing any code generation.

Agreed, but keep in mind that 'modules_install' could subsequently strip
the module.

Mimi

> >> +       for (i = 0; i < *len - (sizeof(MODULE_SIG_STRING)-1); i++) {
> >> +               /* Our memcmp is dumb, speed it up a little. */
> >> +               if (((char *)mod)[i] != MODULE_SIG_STRING[0])
> >> +                       continue;
> >> +               if (memcmp(mod, MODULE_SIG_STRING, strlen(MODULE_SIG_STRING)))
> >
> > should be (mod+i)?
> 
> Yes, indeed.  Thanks, fixed.
> 
> >> +                       continue;
> >> +
> >> +               sig = mod + i + strlen(MODULE_SIG_STRING);
> >> +               siglen = *len - i - strlen(MODULE_SIG_STRING);
> >> +               *len = i;
> >> +               break;
> >> +       }
> >
> > In general please clarify why do you need such parsing at all?
> > Why not to have MODULE_SIG_STRING as a last octets of the module and
> > have signature length field before?
> > Then it is easy to get the signature and rest of the module?
> > That will be super fast...
> >
> > Please clarify.
> 
> Ignore performance, it's just not an issue here.  So the simplest code
> wins.
> 
> And it's also simpler to sign a module this way.
> 
>         (echo '~Module signature appended~'; gpg --sign ....) >> mod.ko
> 
> Cheers,
> Rusty.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 



  reply	other threads:[~2012-09-05 13:36 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-16  1:34 [PATCH 00/25] Crypto keys and module signing David Howells
2012-08-16  1:34 ` [PATCH 01/25] KEYS: Add payload preparsing opportunity prior to key instantiate or update David Howells
2012-08-16  1:34 ` [PATCH 02/25] MPILIB: Provide count_leading/trailing_zeros() based on arch functions David Howells
2012-09-10  7:13   ` Kasatkin, Dmitry
2012-09-13  5:14     ` James Morris
2012-09-13 14:09       ` Kasatkin, Dmitry
2012-08-16  1:34 ` [PATCH 03/25] KEYS: Create a key type that can be used for general cryptographic operations David Howells
2012-08-16  1:34 ` [PATCH 04/25] KEYS: Add signature verification facility David Howells
2012-08-16  1:35 ` [PATCH 05/25] KEYS: Asymmetric public-key algorithm crypto key subtype David Howells
2012-08-16  1:35 ` [PATCH 06/25] MPILIB: Reinstate mpi_cmp[_ui]() and export for RSA signature verification David Howells
2012-08-16  1:35 ` [PATCH 07/25] KEYS: RSA: Implement signature verification algorithm [PKCS#1 / RFC3447] David Howells
2012-08-16  1:35 ` [PATCH 08/25] KEYS: RSA: Fix signature verification for shorter signatures David Howells
2012-08-16  1:35 ` [PATCH 09/25] PGPLIB: PGP definitions (RFC 4880) David Howells
2012-08-16  1:36 ` [PATCH 10/25] PGPLIB: Basic packet parser David Howells
2012-08-16  1:36 ` [PATCH 11/25] PGPLIB: Signature parser David Howells
2012-08-16  1:36 ` [PATCH 12/25] KEYS: PGP data parser David Howells
2012-08-16  1:36 ` [PATCH 13/25] KEYS: PGP-based public key signature verification David Howells
2012-08-16  1:36 ` [PATCH 14/25] KEYS: PGP format signature parser David Howells
2012-08-16  1:36 ` [PATCH 15/25] KEYS: Provide PGP key description autogeneration David Howells
2012-08-16  1:37 ` [PATCH 16/25] KEYS: Provide a function to load keys from a PGP keyring blob David Howells
2012-08-16  1:37 ` [PATCH 17/25] MODSIGN: Provide gitignore and make clean rules for extra files David Howells
2012-08-16  1:37 ` [PATCH 18/25] MODSIGN: Provide Documentation and Kconfig options David Howells
2012-08-16  1:37 ` [PATCH 19/25] MODSIGN: Sign modules during the build process David Howells
2012-08-16  1:37 ` [PATCH 20/25] MODSIGN: Provide module signing public keys to the kernel David Howells
2012-08-31 14:33   ` Michal Marek
2012-08-16  1:38 ` [PATCH 21/25] MODSIGN: Module signature verification David Howells
2012-08-16  1:38 ` [PATCH 22/25] MODSIGN: Automatically generate module signing keys if missing David Howells
2012-08-16  1:38 ` [PATCH 23/25] MODSIGN: Panic the kernel if FIPS is enabled upon module signing failure David Howells
2012-08-16  1:38 ` [PATCH 24/25] MODSIGN: Allow modules to be signed with an unknown key unless enforcing David Howells
2012-08-16  1:38 ` [PATCH 25/25] MODSIGN: Fix documentation of signed-nokey behavior when not enforcing David Howells
2012-08-21  5:04 ` [PATCH 00/25] Crypto keys and module signing Rusty Russell
2012-08-22 10:50 ` David Howells
2012-08-22 11:52   ` Mimi Zohar
2012-08-22 16:07   ` Kasatkin, Dmitry
2012-09-04  5:55 ` [RFC] module: signature infrastructure Rusty Russell
2012-09-04 12:07   ` Kasatkin, Dmitry
2012-09-04 12:21     ` Kasatkin, Dmitry
2012-09-04 13:40       ` Mimi Zohar
2012-09-05  0:29     ` Rusty Russell
2012-09-05 13:34       ` Mimi Zohar [this message]
2012-09-06  2:05         ` Rusty Russell
2012-09-04 14:25   ` Lucas De Marchi
2012-09-04 15:04     ` Kasatkin, Dmitry
2012-09-05  0:19     ` Rusty Russell
2012-09-05 23:41       ` Lucas De Marchi
2012-09-06  7:55         ` Rusty Russell
2012-09-04 22:51   ` David Howells
2012-09-04 23:17     ` Kasatkin, Dmitry

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1346852077.2389.7.camel@falcor \
    --to=zohar@linux.vnet.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@intel.com \
    --cc=jmorris@namei.org \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=rusty@rustcorp.com.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).