Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]

[Luis R. Rodriguez]

On Thu, May 21, 2015 at 3:24 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> On Thu, May 21, 2015 at 3:16 PM, Luis R. Rodriguez <mcgrof@xxxxxxxx> wrote:
>> On Thu, May 21, 2015 at 3:06 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>>> Given that, I would say that merely shoving firmware files through the
>>> module verifier as-is would not be okay.
>>
>> Replacing one dog and pony show for another is what is going on, what
>> you describe and suggest seems best, and I welcome patches, it seems
>> you know what you are talking about :)
>>
>
> Don't hold your breath.  My plate is over-full.  I'm probably a decent
> reviewer of crypto, though.

Well as good as you are in 10 years we'll have better ones. So when
module signature went into the kernel the real expectation should have
been:

This code looks good now but is going to be complete shit and
breakable a few years from now.

Hence my first implicit and now explicit claims on dog and pony shows.
Best thing we can do IMHO is to just allow us to replace stupid human
code with better human code later, and eventually hopefully better AI
code, and so on. Since you don't have time for a real replacement
maybe what we can do is at least document / target / agree for what
pipe dream we want and shoot for it with time. Hopefully folks will
find time to implement it.

In the meantime should that block current dog and pony show trading? I
don't think so.

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/