lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 26 Nov 2012 09:23:05 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	linux-security-module@...r.kernel.org
Cc:	Dmitry Kasatkin <dmitry.kasatkin@...el.com>,
	Rusty Russell <rusty@...tcorp.com.au>,
	linux-kernel@...r.kernel.org, Mimi Zohar <zohar@...ibm.com>
Subject: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

From: Dmitry Kasatkin <dmitry.kasatkin@...el.com>

Signed modules are only as secure as the private key used to sign
them.  This patch limits access to the private key by limiting the
private key's existence to 'modules_install'(ie. this is meant for
local developers, not distros.)

This patch defines a new kernel build command line parameter
called MODSIG (eg. make MODSIG=1 modules_install) and adds
support for ephemeral keys.

MODSIG=1 creates an ephemeral key pair during 'modules_install',
forcing the rebuilding of the bzImage containing the new ephemeral
builtin public key, signs the kernel modules with the private key,
and then destroys the private key, limiting the existance of the
private key to the 'modules_install' execution time.  (The private
key's existence could be further limited, if the key generation
wasn't tied to a specific file, but defined as a separate target.)

Another possible MODSIG option would be to password protect the
private key.  Although this option is not as safe as removing the
private key, it would not require rebuilding the bzImage, as the
key pair is generated during 'make'.

Changelog v1:
- rebased on the upsteamed kernel module support

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@...el.com>
Signed-off-by: Mimi Zohar <zohar@...ibm.com>
---
 Makefile |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/Makefile b/Makefile
index 9f6ca12..d0dd777 100644
--- a/Makefile
+++ b/Makefile
@@ -718,10 +718,17 @@ mod_strip_cmd = true
 endif # INSTALL_MOD_STRIP
 export mod_strip_cmd
 
+export KBUILD_MODSIG := 0
 
 ifeq ($(CONFIG_MODULE_SIG),y)
 MODSECKEY = ./signing_key.priv
 MODPUBKEY = ./signing_key.x509
+
+# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
+ifeq ("$(origin MODSIG)", "command line")
+KBUILD_MODSIG := $(MODSIG)
+endif
+
 export MODPUBKEY
 mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
 else
@@ -957,8 +964,27 @@ modules_prepare: prepare scripts
 
 # Target to install modules
 PHONY += modules_install
+
+# Create an ephemeral keypair before module install
+ifeq ($(KBUILD_MODSIG),1)
+modules_install: _newmodpubkey_
+endif
+
 modules_install: _modinst_ _modinst_post
 
+ifeq ($(KBUILD_MODSIG),1)
+modules_install:  _rmprivkey_
+endif
+
+PHONY += _newmodpubkey_
+_newmodpubkey_: 
+	@rm -f $(MODSECKEY) $(MODPUBKEY)
+	$(Q)$(MAKE) -W kernel/modsign_pubkey.o
+
+PHONY += _rmprivkey_ 
+_rmprivkey_: 
+	@rm -f $(MODSECKEY)
+
 PHONY += _modinst_
 _modinst_:
 	@rm -rf $(MODLIB)/kernel
-- 
1.7.7.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ