On Tue, 2015-07-28 at 15:44 -0700, Andy Lutomirski wrote:
> On Tue, Jul 28, 2015 at 3:39 PM, David Howells <dhowells@redhat.com> wrote:
> > James Bottomley <James.Bottomley@HansenPartnership.com> wrote:
> > 
> > > Um, wouldn't the hash be in the module ... and the module is validated
> > > at load time by whatever kernel mechanism we're using.
> > 
> > I think we're talking at cross-purposes.  The point was:
> > 
> >     (6) Should module signatures contain the module name - to be matched
> >         against the modinfo structure after the signature is checked?
> > 
> > I'm asking about whether a *module* signature should be tied to the name of
> > the *module* it is signing.  Nothing to do with firmware.
> > 
> 
> I vote "no" because I can't see a threat model under which it matters.
> If you can sign a module at all, then root can load it regardless of
> what it's called.  Nonroot can't supply the module under a forged
> name, regardless of whether the signature covers the name.

Right.

Including the module name in the signature *only* protects you against
an attacker who can provide a rogue module which *happens* to match the
digest of a genuine module.... but their rogue module has a different
name in the modinfo struct.

And quite frankly, if the attacker can manage that much, they'll manage
to get the name to match soon after. Meanwhile, I'll be in the bunker
because the world is about to end.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@intel.com                              Intel Corporation