[Fedora 09/19] binfmt_elf: Elf executable signature verification

Vivek Goyal vgoyal at redhat.com
Thu Sep 5 14:00:10 UTC 2013 

On Thu, Sep 05, 2013 at 06:50:05AM -0400, Josh Boyer wrote:
> On Wed, Sep 4, 2013 at 10:07 PM, Vivek Goyal <vgoyal at redhat.com> wrote:
> > On Wed, Sep 04, 2013 at 09:37:47PM -0400, Josh Boyer wrote:
> >
> > [..]
> >> > +config BINFMT_ELF_SIG
> >> > +       bool "ELF binary signature verification"
> >> > +       depends on BINFMT_ELF
> >> > +       select INTEGRITY
> >> > +       select INTEGRITY_SIGNATURE
> >> > +       select INTEGRITY_ASYMMETRIC_KEYS
> >> > +       select IMA
> >> > +       select IMA_APPRAISE
> >> > +       select SYSTEM_TRUSTED_KEYRING
> >> > +       default n
> >> > +       ---help---
> >> > +         Check ELF binary signature verfication.
> >>
> >> Please don't do this.  Yes, it's technically viable to select all the
> >> things you need, but this turns on entire subsystems we don't have
> >> enabled.  In months when the maintainers have long forgotten about
> >> this, we have to go figure out what turned on INTEGRITY and IMA
> >> because they aren't explicitly set in the config-* fragments.  It's
> >> really frustrating.
> >>
> >> Instead, please make BINFMT_ELF_SIG depend on
> >> INTEGRITY_ASYMMETRIC_KEYS and IMA_APPRAISE, then explicitly enable the
> >> options you need in config-x86-generic.  Lump them together and
> >> include a comment at the top about what piece of functionality needs
> >> them.
> >
> > Josh,
> >
> > I don't think that will make lot of sense. When a user wants to enable
> > a feature, I think it is better that anything that feature depends on
> > is selected automatically.
> 
> There are very few users that are going to want this feature.  Why
> would they?

It does not matter how many users are going to use it. Thing is, if
I run make menuconfig and If I enable elf binary signature verifitcaion,
it should automatically select all the dependcies.

>  The Kconfig help text doesn't say anything at all about
> what this is, it doesn't list the limitations present (no shared
> libraries, etc), and it doesn't explain that is adds in entire
> subsystems.  The help text could use additions to cover all that.

That more about help text improvement. But that's not an argument to
not do it this way. I can improve the help text, that's not a problem.

> 
> > I have had very frustating expriences when I do "make menuconfig" and
> > the options I want to enable are not there in menu because they are
> > depenedent on something else which is not enabled.
> 
> If you knew about the option before you ran "make menuconfig", then
> you clearly saw it in the Kconfig file and should have been able to
> read what it depends on.
> 
> > How on the earth a user is supposed to know that BINFMT_ELF_SIG is
> > dependent on IMA, IMA_APPRAISE, SYSTEM_TRUSTED_KEYRING
> > INTEGRITY_SIGNATURE, INTEGRITY_ASYMMETRIC_KEYS etc.
> 
> Frankly, an end user won't care.  This isn't a general purpose signed
> binary option.  It's limited to statically linked, no interpreted ELF
> binaries.  Also, this is the Fedora kernel list.  We'll enable this
> either way and a user gets what we build.

I think you are doing it reverse. I am really not a fan of making
this feature *depend* on all the obsecure options and leave it an
exercise for developer to figure out all dependencies. I find it
much more intutive to automatically select dependencies.

And if you disable this feature in fedora, I think all the automatically
selected dependencies will automatically be deselected? So you don't
have to worry either.

Thanks
Vivek

More information about the kernel mailing list