lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 09 Dec 2011 18:43:26 +0000
From:	David Howells <dhowells@...hat.com>
To:	Rusty Russell <rusty@...abs.org>
Cc:	dhowells@...hat.com, keyrings@...ux-nfs.org,
	linux-crypto@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, dmitry.kasatkin@...el.com,
	zohar@...ux.vnet.ibm.com, arjan.van.de.ven@...el.com,
	alan.cox@...el.com
Subject: Re: [PATCH 21/21] MODSIGN: Apply signature checking to modules on module load [ver #3]

Rusty Russell <rusty@...abs.org> wrote:

> And adds a great deal of code in a supposedly security-sensitive path to
> achieve it.
> 
> How about simply append a signature to the module?  That'd be about 20 lines
> of code to carefully check the bounds of the module to figure out where the
> signature is.  You could even allow multiple signatures, then have one for
> stripped, and one for non-stripped versions.

A big chunk of the code is dealing with the cryptographic bits - and you need
those anyway - and if it's done right it can be shared with other things
(eCryptfs for example; maybe CIFS from what Steve French said) and auxiliary
keys can be stored in places other than the kernel (the TPM for example).

> Sure, you now need to re-append that after stripping, but that's not the
> kernel's problem.

You may also have to remove the signature before passing it to any binutils
tool lest it malfunction on the trailer - and would you also have to modify
insmod and modprobe?  I suspect they parse the ELF to find out about parameters
and things.

I've found that rpmbuild and mkinitrd alter the module files at various times,
so you'd need a bunch of signatures, one for each (may just be two, but I can't
guarantee that).  This means the kernel build process needs to know what
transformations are going to be applied to a module - something that has
changed occasionally within the distribution I use and may vary between
distributions (or even just someone building for themselves).

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ