[arch-general] Signing kernel modules
Since some time ago, the Linux kernel has had support for cryptographically signed modules, i.e. the kernel can be configured to only load properly signed modules. https://www.kernel.org/doc/Documentation/module-signing.txt I wouldn't go to lengths explaining the benefits of it, I was just wondering if Arch has the infrastructure to sign the modules - since developers already sign the kernel package itself [*], and in that sense we (the users) already trust them to that level. I'm not suggesting that CONFIG_MODULE_SIG_FORCE is enabled by default - that would break 3rd party modules, but people could optionally use the "enforcemodulesig=1" kernel command line option if they want to. Thoughts? [*] though packages are gpg signed, and modules use x.509 -- damjan
On 25/07/15 03:58 PM, Damjan Georgievski wrote:
Since some time ago, the Linux kernel has had support for cryptographically signed modules, i.e. the kernel can be configured to only load properly signed modules.
https://www.kernel.org/doc/Documentation/module-signing.txt
I wouldn't go to lengths explaining the benefits of it, I was just wondering if Arch has the infrastructure to sign the modules - since developers already sign the kernel package itself [*], and in that sense we (the users) already trust them to that level.
I'm not suggesting that CONFIG_MODULE_SIG_FORCE is enabled by default - that would break 3rd party modules, but people could optionally use the "enforcemodulesig=1" kernel command line option if they want to.
Thoughts?
[*] though packages are gpg signed, and modules use x.509
Signed modules don't really offer any added security with a vanilla kernel because root still has full control over the kernel via other known mechanisms (i.e. no exploits necessary). The feature is mostly useful for enforcing a *policy* of not allowing third party modules, similar to the kernel taint bits which can be overwritten if you really feel like doing it. It might be worth enabling it for linux-grsec. Many cases can already be handled by setting modules_disabled=1 once the needed modules are loaded. It's not a very compelling feature though because it's only truly useful in combination with a fully read-only root and grsecurity's romount_protect feature. A strong MAC policy could also plug the other attack routes... but it's also going to prevent loading modules for that role anyway.
participants (2)
-
Damjan Georgievski
-
Daniel Micay