On Tue, May 19, 2015 at 10:44 AM, Linus Torvalds <[email protected]> wrote: > On Mon, May 18, 2015 at 5:51 PM, Andy Lutomirski <[email protected]> wrote: >> >> I think we should get rid of the idea of automatically generated signing >> keys entirely. Instead I think we should generate, at build time, a list of >> all the module hashes and link that into vmlinux. > > Ugh. I think that would be a mistake. It doesn't add any new security > (it's 100% equivalent to just using a throw-away key), and it adds new > complexity and a new ordering dependency. > > Yes, yes, "throwing away the key" is a somewhat gray area, and just > unlinking the key-file without any secure erase in theory makes it > recoverable. In practice, though, it is fine. If you have an attacker > that has raw access to your disk and almost infinite resources, they > have easier ways to make your life miserable.
Throwing away the key is outright impossible in some contexts. https://wiki.debian.org/ReproducibleBuilds --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
