Re: Should we automatically generate a module signing key at all?

[Andy Lutomirski]

On Tue, May 19, 2015 at 1:00 PM, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:
> On Tue, 2015-05-19 at 11:49 -0700, Andy Lutomirski wrote:
>>
>> If we use hashes instead of signatures on in-tree modules (at least in
>> the case where no long-term key is provided), then generation of the
>> temporary signing key stops being an issue because there is no longer
>> a temporary signing key.
>
> With signatures I can make a one-line change to a module and rebuild it,
> and still load it without having to rebuild my vmlinux to 'permit' it.
>
> My signing key is valid for as long as I *choose* it to be valid.
>
> I appreciate why that's a problem in your scenario, but it's a valid and
> useful feature of signatures, and I don't think we can just abandon it.

True, but I'd consider that use case (running a kernel built on a
development machine) to be more in line with unsigned use or long-term
(maybe medium-term) signing keys.

IOW, for this use case, running scripts/generate_module_signing_key or
whatever and configuring accordingly seems entirely reasonable to me.
Or you could just turn off forced module signature verification since
keeping the signing key in plaintext on your machine mostly negates
any benefit of verifying signatures on that machine at runtime.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/