From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752192AbeCMRSj (ORCPT ); Tue, 13 Mar 2018 13:18:39 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:43168 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751673AbeCMRSg (ORCPT ); Tue, 13 Mar 2018 13:18:36 -0400 Message-ID: <1520961515.5360.19.camel@HansenPartnership.com> Subject: Re: [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module From: James Bottomley To: "Lee, Chun-Yi" , David Howells Cc: linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" , Josh Boyer Date: Tue, 13 Mar 2018 10:18:35 -0700 In-Reply-To: <20180313103803.13388-5-jlee@suse.com> References: <20180313103803.13388-1-jlee@suse.com> <20180313103803.13388-5-jlee@suse.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote: > This patch adds the logic for checking the kernel module's hash > base on blacklist. The hash must be generated by sha256 and enrolled > to dbx/mokx. > > For example: > sha256sum sample.ko > mokutil --mokx --import-hash $HASH_RESULT > > Whether the signature on ko file is stripped or not, the hash can be > compared by kernel. What's the use case for this?  We're already in trouble from the ODMs for the size of dbx and its consumption of the extremely limited variable space, so do we really have a use case for adding module blacklist hashes to the UEFI variables given the space constraints (as in one we can't do any other way)? James