Search Linux Wireless

Re: [PATCH 4/4] cfg80211: implement regdb signature checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Johannes,
Dear Linux wireless,

On Fr, Okt 06, 2017 at 03:55:32 +0200, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@xxxxxxxxx>
> 
> Currently CRDA implements the signature checking, and the previous
> commits added the ability to load the whole regulatory database
> into the kernel.
> 
> However, we really can't lose the signature checking, so implement
> it in the kernel by loading a detached signature (regulatory.db.p7s)
> and check it against built-in keys.
> 
> TODO
>  - add Seth's key, obviously
> 
> Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
> ---
>  net/wireless/Kconfig         |  30 +++++++++++
>  net/wireless/Makefile        |  22 ++++++++
>  net/wireless/certs/none.x509 |   0
>  net/wireless/reg.c           | 121 ++++++++++++++++++++++++++++++++++++++++++-
>  net/wireless/reg.h           |   8 +++
>  5 files changed, 180 insertions(+), 1 deletion(-)
>  create mode 100644 net/wireless/certs/none.x509
> 
> diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig
> index f050030055c5..da91bb547db3 100644
> --- a/net/wireless/Kconfig
> +++ b/net/wireless/Kconfig
> @@ -83,6 +83,36 @@ config CFG80211_CERTIFICATION_ONUS
>  	  you are a wireless researcher and are working in a controlled
>  	  and approved environment by your local regulatory agency.
>  
> +config CFG80211_REQUIRE_SIGNED_REGDB
> +	bool "require regdb signature" if CFG80211_CERTIFICATION_ONUS
> +	default y
> +	select SYSTEM_DATA_VERIFICATION

Since v4.15 commit 90a53e4432b122 ("cfg80211: implement regdb signature
checking"), CFG80211_REQUIRE_SIGNED_REGDB is enabled unconditionally
and users have no flexibility to disable it when
CFG80211_CERTIFICATION_ONUS is unset (since the visibility of
CFG80211_REQUIRE_SIGNED_REGDB depends on CFG80211_CERTIFICATION_ONUS).

Based on the documentation of CFG80211_CERTIFICATION_ONUS, this option
is supposed to stay disabled most of the times, hence users have to live
with CFG80211_REQUIRE_SIGNED_REGDB=y and SYSTEM_DATA_VERIFICATION=y
enabled in their kernel, which consumes a few tens of KB in the
uncompressed binary Image (particularly on arm64).

A few tens of KB is not much, but on embedded systems it matters.

Can you please confirm Wireless subsystem requires
CFG80211_REQUIRE_SIGNED_REGDB=y and SYSTEM_DATA_VERIFICATION=y
regardless of the status of CFG80211_CERTIFICATION_ONUS ?

Thanks,
Eugeniu
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux