Hello Manoj! On Mon, 05 May 2014, Manoj Srivastava wrote: > > Severity: important > > > > /usr/share/kernel-package/ruleset/targets/image.mk does this: > > > > find $(TMPTOP)$(DEBUGDIR) -type f -name \*.ko | \ > > while read file; do > > origfile=`echo $$file | sed -e 's,$(DEBUGDIR),,g'`; > > echo $(OBJCOPY) --only-keep-debug $$file; > > $(OBJCOPY) --only-keep-debug $$file; > > echo $(OBJCOPY) --add-gnu-debuglink=$$file $$origfile; > > $(OBJCOPY) --add-gnu-debuglink=$$file $$origfile; > > done > > > > which corrupts module signatures. > > True. But it does add a link to the dbg paths that ill be > populated if you install that. Incodentally, this is what the upsteam > make deb-pkg does
Well, the upstream Makefile somehow manages to sign the modules after all changes to the module file, thus the signatures are valid :-) One possible fix would be to run the signature pass after updating the debug paths (and preferably also supressing any signature passes before the update, as the signature pass is quite slow and resource intensive). > > Module signatures are important, there are several rootkits that are > > neutralized when the kernel refuses to load unsigned modules. > > It is a 5trade off. Being able to debug vs signed modules. I > suspect the trade off goes differently for vendor kernel packages and > home brewed ones. Even without the objcopy, would the signed modules > have the same signatures as the self compiled version? Is this a > hypothetical, or do we have a concrete degradation in security? Obviously, if you cannot secure the bootloader, module signing won't get you much. However, it is still useful to be able to have an extra security layer (as in "additionaly to apparmor/se-linux/etc") that gets in the way of a simple local root exploit giving you kernel powers (via modprobe/insmod). I am not really interested into the "vendor kernel" angle, as kernel-package is not used for that anymore. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
