[Fedora 09/19] binfmt_elf: Elf executable signature verification
Vivek Goyal
vgoyal at redhat.com
Thu Sep 5 15:50:50 UTC 2013
On Thu, Sep 05, 2013 at 11:06:10AM -0400, Eric Paris wrote:
> On Wed, 2013-09-04 at 21:37 -0400, Josh Boyer wrote:
>
> > > +config BINFMT_ELF_SIG
> > > + bool "ELF binary signature verification"
> > > + depends on BINFMT_ELF
> > > + select INTEGRITY
> > > + select INTEGRITY_SIGNATURE
> > > + select INTEGRITY_ASYMMETRIC_KEYS
> > > + select IMA
> > > + select IMA_APPRAISE
> > > + select SYSTEM_TRUSTED_KEYRING
> > > + default n
> > > + ---help---
> > > + Check ELF binary signature verfication.
> >
> > Please don't do this. Yes, it's technically viable to select all the
> > things you need, but this turns on entire subsystems we don't have
> > enabled. In months when the maintainers have long forgotten about
> > this, we have to go figure out what turned on INTEGRITY and IMA
> > because they aren't explicitly set in the config-* fragments. It's
> > really frustrating.
>
> And it's just plain wrong. CONFIG_IMA requires CONFIG_TCG_TPM. But
> select is not recursive. So can end up with a config where IMA is on,
> but TPM is off...
I fail to understand that why it is wrong.
- If select is not recursive, then it is limitation of select. Either
it needs to be fixed or as a workaround one can put explicit select
for nested dependencies here.
Also for my usage I don't need TPM. Other IMA uses might need it but
atleast I don't need it. So it should be fine if TPM is not compiled
in.
In fact in last fedora release TPM was explicitly disabled because
otherwise due to buggy TPM, fedora failed to boot on some machine.
So it seems to be only a good thing that we can use binary elf signature
without having to enable TPM support.
Thanks
Vivek
More information about the kernel
mailing list