[Fedora 09/19] binfmt_elf: Elf executable signature verification

Josh Boyer jwboyer at gmail.com
Thu Sep 5 10:50:05 UTC 2013 

On Wed, Sep 4, 2013 at 10:07 PM, Vivek Goyal <vgoyal at redhat.com> wrote:
> On Wed, Sep 04, 2013 at 09:37:47PM -0400, Josh Boyer wrote:
>
> [..]
>> > +config BINFMT_ELF_SIG
>> > +       bool "ELF binary signature verification"
>> > +       depends on BINFMT_ELF
>> > +       select INTEGRITY
>> > +       select INTEGRITY_SIGNATURE
>> > +       select INTEGRITY_ASYMMETRIC_KEYS
>> > +       select IMA
>> > +       select IMA_APPRAISE
>> > +       select SYSTEM_TRUSTED_KEYRING
>> > +       default n
>> > +       ---help---
>> > +         Check ELF binary signature verfication.
>>
>> Please don't do this.  Yes, it's technically viable to select all the
>> things you need, but this turns on entire subsystems we don't have
>> enabled.  In months when the maintainers have long forgotten about
>> this, we have to go figure out what turned on INTEGRITY and IMA
>> because they aren't explicitly set in the config-* fragments.  It's
>> really frustrating.
>>
>> Instead, please make BINFMT_ELF_SIG depend on
>> INTEGRITY_ASYMMETRIC_KEYS and IMA_APPRAISE, then explicitly enable the
>> options you need in config-x86-generic.  Lump them together and
>> include a comment at the top about what piece of functionality needs
>> them.
>
> Josh,
>
> I don't think that will make lot of sense. When a user wants to enable
> a feature, I think it is better that anything that feature depends on
> is selected automatically.

There are very few users that are going to want this feature.  Why
would they?  The Kconfig help text doesn't say anything at all about
what this is, it doesn't list the limitations present (no shared
libraries, etc), and it doesn't explain that is adds in entire
subsystems.  The help text could use additions to cover all that.

> I have had very frustating expriences when I do "make menuconfig" and
> the options I want to enable are not there in menu because they are
> depenedent on something else which is not enabled.

If you knew about the option before you ran "make menuconfig", then
you clearly saw it in the Kconfig file and should have been able to
read what it depends on.

> How on the earth a user is supposed to know that BINFMT_ELF_SIG is
> dependent on IMA, IMA_APPRAISE, SYSTEM_TRUSTED_KEYRING
> INTEGRITY_SIGNATURE, INTEGRITY_ASYMMETRIC_KEYS etc.

Frankly, an end user won't care.  This isn't a general purpose signed
binary option.  It's limited to statically linked, no interpreted ELF
binaries.  Also, this is the Fedora kernel list.  We'll enable this
either way and a user gets what we build.

josh

More information about the kernel mailing list