Matthew Garrett <mj...@google.com> writes: > On Sat, Aug 5, 2017 at 11:54 PM, Rusty Russell <ru...@rustcorp.com.au> wrote: >> Matthew Garrett <mj...@google.com> writes: >>> Distributions may wish to provide kernels that permit loading of >>> unsigned modules based on certain policy decisions. >> >> Sorry, that's way too vague to accept this patch. >> >> So I'm guessing a binary module is behind this vagueness. If you want >> some other method than signing to vet modules, please do it in >> userspace. You can do arbitrary things that way... > > Binary modules will still be tainted by the license checker. The issue > is that if you want to enforce module signatures under *some* > circumstances, you need to build with CONFIG_MODULE_SIG
Not at all! You can validate them in userspace. > but that > changes the behaviour of the kernel even when you're not enforcing > module signatures. The same kernel may be used in environments where > you can verify the kernel and environments where you can't, and in the > latter you may not care that modules are unsigned. In that scenario, > tainting doesn't buy you anything. With your patch, you don't get tainting in the environment where you can verify. You'd be better adding a sysctl or equiv. to turn off force loading, and use that in your can-verify system. Cheers, Rusty.