Re: [PATCH 0/6] MODSIGN: Kernel module signing

From: Adrian Bunk
Date: Thu Feb 15 2007 - 16:32:59 EST

Next message: Mathieu Desnoyers: "Re: [PATCH] local_t : powerpc extension - use long for powerpc32"
Previous message: Indan Zupancic: "Re: [PATCH 0/6] MODSIGN: Kernel module signing"
In reply to: Valdis . Kletnieks: "Re: [PATCH 0/6] MODSIGN: Kernel module signing"
Next in thread: Valdis . Kletnieks: "Re: [PATCH 0/6] MODSIGN: Kernel module signing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 15, 2007 at 03:55:41PM -0500, Valdis.Kletnieks@xxxxxx wrote:
> On Wed, 14 Feb 2007 23:13:45 EST, Dave Jones said:
> > One argument in its favour is aparently Red Hat isn't the only vendor
> > with something like this. I've not investigated it, but I hear rumours
> > that suse has something similar. Having everyone using the same code
> > would be a win for obvious reasons.
>
> Another argument in its favor is that it actually allows the kernel to
> implement *real* checking of module licenses and trumps all the proposals
> to deal with MODULE_LICENSE("GPL\0Haha!"). A vendor (or user) that wants
> to be *sure* that only *really really* GPL modules are loaded can simply
> refuse to load unsigned modules - and then refuse to sign a module until
> after they had themselves visited the source's website, verified that the
> source code was available under GPL, and so on.
>
> Remember - the GPL is about the availability of the source. And at modprobe
> time, the source isn't available. So you're left with two options:
>
> 1) Trust the binary to not lie to you about its license.
> 2) Ask a trusted 3rd party (usually, the person/distro that built the kernel)
> whether they've verified the claim that it's really GPL.

There are different opinions whether the "complete source code" of the
GPLv2 includes in such cases public keys, making it questionable whether
your example will survive at court in all jurisdictions.

E.g. remember that gpl-violations.org has already successfully enforced
the publication of public keys for "firmware only loads signed kernels"
cases by threatening companies to otherwise take legal actions in
Germany.

cu
Adrian

--

"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mathieu Desnoyers: "Re: [PATCH] local_t : powerpc extension - use long for powerpc32"
Previous message: Indan Zupancic: "Re: [PATCH 0/6] MODSIGN: Kernel module signing"
In reply to: Valdis . Kletnieks: "Re: [PATCH 0/6] MODSIGN: Kernel module signing"
Next in thread: Valdis . Kletnieks: "Re: [PATCH 0/6] MODSIGN: Kernel module signing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]