LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: torvalds@osdl.org, akpm@osdl.org, herbert.xu@redhat.com
Cc: linux-kernel@vger.kernel.org, davej@redhat.com,
	arjan@infradead.org, linux-crypto@vger.kernel.org,
	dhowells@redhat.com
Subject: [PATCH 0/6] MODSIGN: Kernel module signing
Date: Wed, 14 Feb 2007 19:09:38 +0000	[thread overview]
Message-ID: <20070214190938.6438.15091.stgit@warthog.cambridge.redhat.com> (raw)



These patches provide a GPG-based kernel module signing facility.  Their use is
not fully automated within the confines of the kernel build process because it
needs provision of keys from outside of the kernel before the kernel can be
compiled.

The patches are:

 (1) A cut-down MPI library derived from GPG with error handling added.

 (2) Permit hash algorithms to hash kernel data defined by a virtual address
     and a length rather than trying to use scattergather lists (which require
     struct page pointers to be determined).

 (3) Add extra information to the per-arch ELF headers to more fully describe
     the format of the ELF metadata.

 (4) Add module verification capabilities, including ELF metadata verification.

 (5) Add a generic DSA signature checker.  Given a SHA1 hash of the data to be
     verified and a binary blob holding a GPG signature stream, this verifies
     the signature using a built-in ring of public keys.

 (6) Add a module signature checker that applies signature checking to modules
     on module load, checking the signature against the ring of public keys
     compiled into the kernel.


These patches have been in use by RHEL and Fedora kernels for years, and so
have been thoroughly tested.  The signed modules survive both the debuginfo
separation performed by rpmbuild and the strip performed when modules are being
reduced as much as possible before being included in an initial ramdisk
composition.  Signed modules have been tested to work with LE and BE, 32- and
64-bit arch kernels, including i386, x86_64, ppc64, ia64, s390 and s390x.

There are several reasons why these patches are useful, amongst which are:

 (1) to protect against accidentally-corrupted modules causing damage;

 (2) to protect against maliciously modified modules causing damage;

 (3) to allow a sysadmin (or more likely an IT department) to enforce a policy
     that only known and approved modules shall be loaded onto machines which
     they're expected to support;

 (4) to allow other support providers to do likewise, or at least to _detect_
     the fact that unsupported modules are loaded;

 (5) to allow the detection of modules replaced by a second-order distro or a
     preloaded Linux purveyor.

Basically, these patches have two main appeals to me: (a) preventing malicious
modules from being loaded, and (b) reducing support workload by pointing out
modules on a crashing box that aren't what they're expected to be.


Now, this is not a complete solution by any means: the core kernel is not
protected, and nor are /dev/mem or /dev/kmem, but it denies (or at least
controls) one relatively simple attack vector.

This facility is optional: the builder of a kernel is by no means under any
requirement to actually enable it, let alone force the set of loadable modules
to be restricted to just those that the builder provides (there are degrees of
restriction available).


Note to Andrew and Linus: Herbert Xu and the crypto guys need to check the
crypto bits before this should be accepted.  Possibly these patches should go
via the crypto tree.

David

             reply	other threads:[~2007-02-14 19:10 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-14 19:09 David Howells [this message]
2007-02-14 19:09 ` [PATCH 2/6] MODSIGN: In-kernel crypto extensions David Howells
2007-02-14 19:09 ` [PATCH 3/6] MODSIGN: Add indications of module ELF types David Howells
2007-02-14 19:09 ` [PATCH 4/6] MODSIGN: Module ELF verifier David Howells
2007-02-14 19:10 ` [PATCH 5/6] MODSIGN: Module signature checker and key manager David Howells
2007-02-14 19:10 ` [PATCH 6/6] MODSIGN: Apply signature checking to modules on module load David Howells
2007-02-14 19:26 ` [PATCH 0/6] MODSIGN: Kernel module signing Linus Torvalds
2007-02-14 19:40 ` David Howells
2007-02-14 21:32   ` Michael Halcrow
2007-02-14 21:59   ` David Howells
2007-02-14 22:21     ` Michael Halcrow
2007-02-15 21:31   ` Indan Zupancic
2007-02-15  3:41 ` Andrew Morton
2007-02-15  4:13   ` Dave Jones
2007-02-15  5:35     ` Andreas Gruenbacher
2007-02-15  5:45       ` Dave Jones
2007-02-15  6:14         ` Andreas Gruenbacher
2007-02-15  6:22           ` Dave Jones
2007-02-15 20:34           ` Valdis.Kletnieks
2007-02-15 22:12             ` Andreas Gruenbacher
2007-02-16  0:15               ` Olaf Kirch
2007-02-15 22:10           ` Pavel Machek
2007-02-15 20:55     ` Valdis.Kletnieks
2007-02-15 21:32       ` Adrian Bunk
2007-02-15 22:12         ` Valdis.Kletnieks
2007-02-15 14:35 ` Roman Zippel
2007-02-15 17:32 ` David Howells
2007-02-15 18:33   ` Roman Zippel
2007-02-15 20:01     ` David Lang
2007-02-15 21:01       ` Roman Zippel
2007-02-15 21:03 ` Adrian Bunk
2007-02-15 22:13 ` Pavel Machek
2007-02-16 20:21   ` Dave Jones
2007-02-16 20:27     ` Arjan van de Ven
     [not found] <7OPWh-470-9@gated-at.bofh.it>
     [not found] ` <7OxPF-16i-7@gated-at.bofh.it>
     [not found]   ` <7OSKA-8A-17@gated-at.bofh.it>
     [not found]     ` <7OTGJ-1G5-23@gated-at.bofh.it>
2007-02-16 15:38       ` Bodo Eggert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070214190938.6438.15091.stgit@warthog.cambridge.redhat.com \
    --to=dhowells@redhat.com \
    --cc=akpm@osdl.org \
    --cc=arjan@infradead.org \
    --cc=davej@redhat.com \
    --cc=herbert.xu@redhat.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@osdl.org \
    --subject='Re: [PATCH 0/6] MODSIGN: Kernel module signing' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).