On 2018/3/28 上午6:11, Jessica Yu wrote: > +++ Jia Zhang [24/03/18 10:59 +0800]: >> This patch series allows to disable module validity enforcement >> in runtime through the control switch located in securityfs. >> >> In order to keep /sys/module/module/parameters/sig_enforce simple, >> the disablement switch is located at >> /sys/kernel/security/modsign/disable_enforce. >> >> Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to >> test this control switch. >> >> # cat /sys/module/module/parameters/sig_enforce >> N >> # echo 1 > /sys/module/module/parameters/sig_enforce >> # cat /sys/module/module/parameters/sig_enforce >> Y >> # echo -n 0 > no_sig_enforce >> # openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \ >> -inkey <system_trusted_key> -signer <cert> -outform der \ >> -out /sys/kernel/security/modsign/disable_enforce >> # cat /sys/module/module/parameters/sig_enforce >> N > > I'm not convinced we need this. And neither the use case nor the > motivation is explained in the cover letter :-( > > The way I see it - the only time you'd actually use this is in the > situation where you have *already* enabled sig_enforce, and then later > you change your mind - meaning you wanted to load unsigned modules > after all. And if you ever plan on loading unsigned modules, why would > you have enabled sig_enforce in the first place? If you want to keep
Similar SELinux, this is just providing a runtime switch to disable modsign temporarily in a safer way. At least it is cannot be simply disabled. Thanks, Jia > the option of loading unsigned modules, don't have sig_enforce or > CONFIG_MODULE_SIG_FORCE enabled. > > [ CC'd Rusty in case he has some thoughts on this ] > > Jessica
