On 25.01.2013 04:20:07, +0100, Matthew Garrett <[email protected]> wrote:
Hi Matthew, > On Fri, Jan 25, 2013 at 12:14:54AM +0000, David Howells wrote: > >> You can't rely on someone trying to sneak a dodgy crypto module in to set the >> flag when they build it. The detection thus needs to be done in the kernel >> during the module load. >> >> Can you search the module image for "crypto_register_" I wonder? If that's >> there, it's a crypto module. > > If you're trying to protect against malice rather than accident, what's > going to stop the module from just finding and modifying data structures > itself? If you want to panic if you've just loaded something that might > compromise your crypto implementations, you've got to panic on all > unsigned module loads. That is the issue here. We want to protect against accidental changes and modifications. Malicious attacks will never be caught by the FIPS requirements where a module is allowed to check itself. If an attacker is able to load any kind of kernel module, we have lost. Period. Thus, from a FIPS point of view the latest patch from Kyle is also appropriate, provided the concerns I raised there are covered. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
