Sorry Rusty I don't want allfastconfig, I want debugging on too as that has unconvered build regressions in the past.
View 17 previous comments
+David Miller: what the fuck would be the point of user-land validation, when the whole point of signed kernel modules is "we don't trust somebody who may have gotten root to not insert a malicious kernel module"?
And what's your blathering about trusting the kernel source tree to SHA1 but not binaries? SHA1 is a data integrity thing. It's not a "secure signature". We do have gpg signatures on tags on the source tree too, but those aren't sha1, those are the very RSA that you are ranting against.
Your arguments make no sense.Oct 16, 2012
Wouldn't +Josh Boyer 's proposal in your last post be a decent comprimise. To move the module signing to 'make modules_sign' run before 'make modules_install'?Oct 16, 2012- +Niklas Bolander: I think signing at install time might well work fine too. I haven't seen the patch or the implications, though.Oct 16, 2012
- +Niklas Bolander +Linus Torvalds we're carrying it in Fedora. Basically, it reuses the existing signing scripts from David Howells but works on the installed module tree (e.g. after you call make modules_install). It's a fairly small patch in and of itself, but it would be the only kbuild target I know of that modifies modules in the installed location.
This needs cleanup to avoid a revert and perhaps allow for both build time and post-install time options, but you can find the quick and dirty version here:
http://jwboyer.fedorapeople.org/pub/modsign-rawhide.patchOct 17, 2012 - +Josh Boyer: forgot to cc you on the email with a simpler patch which just moves things to "make modules_install" and removes a lot of silly crud wrt stripping games etc.
http://permalink.gmane.org/gmane.linux.kernel/1377265
Comments?Oct 17, 2012 - +Linus Torvalds It's certainly simpler (I'll reply on-list), but for distros that do debuginfo it won't work. I wrote this a while ago to explain why:
http://jwboyer.livejournal.com/44787.html
Probably start with the 4th paragraph. It was written with Fedora planet in mind as the target audience.Oct 17, 2012
