From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756526AbbESQPa (ORCPT ); Tue, 19 May 2015 12:15:30 -0400 Received: from bombadil.infradead.org ([198.137.202.9]:52809 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752783AbbESQP1 (ORCPT ); Tue, 19 May 2015 12:15:27 -0400 Message-ID: <1432052112.3277.66.camel@infradead.org> Subject: Re: [PATCH 10/8] modsign: Allow password to be specified for signing key From: David Woodhouse To: Petko Manolov Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, mcgrof@suse.com, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org Date: Tue, 19 May 2015 17:15:12 +0100 In-Reply-To: <20150519155010.GA7549@localhost> References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <1432046758.3277.36.camel@infradead.org> <20150519155010.GA7549@localhost> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2015-05-19 at 18:50 +0300, Petko Manolov wrote: > On 15-05-19 15:45:58, David Woodhouse wrote: > > We don't want this in the Kconfig since it might then get exposed in > > /proc/config.gz. So make it a parameter to Kbuild instead. This also > > means we don't have to jump through hoops to strip quotes from it, as > > we would if it was a config option. > > If it were on a network-less, secure sign/build server i'd say it is OK. > > However, exposing your private key's password in an environment variable on a > regular Linux box is a bit fishy. I don't quite understand the objection. If you want the modules to be signed with an external key of your choice, then for the duration of the 'make modules_sign' run (or 'make modules_install if CONFIG_MODULE_SIG_ALL=y) surely the password has to be available *somehow*? You are, of course, free to sign the modules by invoking sign-file directly. In which case you *still* need to provide it with the password for the key somehow, if there is one. Mimi quite rightly pointed out that my original mechanism for this, a CONFIG_MODULE_SIG_KEY_PASSWORD option, was inadvertently exposing it more than was necessary. As it is now, you *only* need it in the environment for the duration of the operations that actually *use* it. Do you have a better suggestion? -- David Woodhouse Open Source Technology Centre David.Woodhouse@intel.com Intel Corporation