On 25/07/15 03:58 PM, Damjan Georgievski wrote:
Since some time ago, the Linux kernel has had support for cryptographically signed modules, i.e. the kernel can be configured to only load properly signed modules.
I wouldn't go to lengths explaining the benefits of it, I was just wondering if Arch has the infrastructure to sign the modules - since developers already sign the kernel package itself [*], and in that sense we (the users) already trust them to that level.
I'm not suggesting that CONFIG_MODULE_SIG_FORCE is enabled by default
- that would break 3rd party modules, but people could optionally use
the "enforcemodulesig=1" kernel command line option if they want to.
[*] though packages are gpg signed, and modules use x.509
Signed modules don't really offer any added security with a vanilla kernel because root still has full control over the kernel via other known mechanisms (i.e. no exploits necessary). The feature is mostly useful for enforcing a *policy* of not allowing third party modules, similar to the kernel taint bits which can be overwritten if you really feel like doing it.
It might be worth enabling it for linux-grsec. Many cases can already be handled by setting modules_disabled=1 once the needed modules are loaded.
It's not a very compelling feature though because it's only truly useful in combination with a fully read-only root and grsecurity's romount_protect feature.
A strong MAC policy could also plug the other attack routes... but it's also going to prevent loading modules for that role anyway.