Apply signature checking to modules on module load
Apply signature checking to modules on module load, checking the signature
against the ring of public keys compiled into the kernel (if enabled by
CONFIG_MODULE_SIG). Turning on signature checking will also force the module's
ELF metadata to be verified first.
These patches have been in use by RHEL and Fedora kernels for years, and so
have been thoroughly tested. The signed modules survive both the debuginfo
separation performed by rpmbuild and the strip performed when modules are being
reduced as much as possible before being included in an initial ramdisk
composition. Signed modules have been tested to work with LE and BE, 32- and
64-bit arch kernels, including i386, x86_64, ppc64, ia64, s390 and s390x.
There are several reasons why these patches are useful, amongst which are:
(1) to protect against accidentally-corrupted modules causing damage;
(2) to protect against maliciously modified modules causing damage;
(3) to allow a sysadmin (or more likely an IT department) to enforce a policy
that only known and approved modules shall be loaded onto machines which
they're expected to support;
(4) to allow other support providers to do likewise, or at least to _detect_
the fact that unsupported modules are loaded;
(5) to allow the detection of modules replaced by a second-order distro or a
preloaded Linux purveyor.
Basically, these patches have two main appeals to me: (a) preventing malicious
modules from being loaded, and (b) reducing support workload by pointing out
modules on a crashing box that aren't what they're expected to be.
Now, this is not a complete solution by any means: the core kernel is not
protected, and nor are /dev/mem or /dev/kmem, but it denies (or at least
controls) one relatively simple attack vector.
This facility is optional: the builder of a kernel is by no means under any
requirement to actually enable it, let alone force the set of loadable modules
to be restricted to just those that the builder provides (there are degrees of
restriction available).
Use of the module signing facility is documentated in:
The module signing facilitiy applies cryptographic signature checking to
modules on module load, checking the signature against a ring of public keys
compiled into the kernel. GPG is used to do the cryptographic work and
determines the format of the signature and key data. The facility uses GPG's
MPI library to handle the huge numbers involved.
This facility is enabled through CONFIG_MODULE_SIG. Turning on signature
checking will also force the module's ELF metadata to be verified before the
signature is checked.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Aristeu Rozanski <arozansk@redhat.com> Signed-off-by: Chris Mason <chris.mason@oracle.com> Signed-off-by: Maxim Uvarov <maxim.uvarov@oracle.com>
projects / users / jedix / linux-maple.git / commit