Re: [GIT PULL] Security subsystem changes for 4.3

From: Linus Torvalds
Date: Tue Sep 08 2015 - 16:32:55 EST

Next message: Paolo Bonzini: "Re: [PATCH 3/9] KVM: x86: add pcommit support"
Previous message: Paolo Bonzini: "Re: [PATCH 8/9] KVM: VMX: introduce set_clear_2nd_exec_ctrl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 31, 2015 at 5:00 PM, James Morris <jmorris@xxxxxxxxx> wrote:
> Highlights:
> o PKCS#7 support added to support signed kexec, also utilized for module
> signing.

So when testing this, I realized that when somebody tries to load a
module with an invalid key, there doesn't seem to be any logs left
about that.

I don't think this is new, it's just that the certificate generation
changes made me test loading a module with the wrong cert, and while
module loading itself failed gracefully and correctly with ENOKEY
("Required key not available"), I also ended up checking dmesg,
because I - clearly incorrectly - thought that we'd warn the sysadmin
about this too).

So I think that module loading failures due to lack of keys really
should raise a few flags. Maybe the system is secure from some
attacks, but you'd still want to know that somebody tried to do
something fishy.

We *do* end up warning ("module verification failed") and tainting the
kernel if we end up loading the module despite the key failing, but
the situation I'm talking about is the "sig_enforce" case, which just
causes a module loading failure with no system warning.

Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paolo Bonzini: "Re: [PATCH 3/9] KVM: x86: add pcommit support"
Previous message: Paolo Bonzini: "Re: [PATCH 8/9] KVM: VMX: introduce set_clear_2nd_exec_ctrl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]