lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <877gp0j5kn.fsf@rustcorp.com.au>
Date:	Mon, 03 Dec 2012 11:49:03 +1030
From:	Rusty Russell <rusty@...tcorp.com.au>
To:	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	linux-security-module@...r.kernel.org
Cc:	Dmitry Kasatkin <dmitry.kasatkin@...el.com>,
	linux-kernel@...r.kernel.org, Mimi Zohar <zohar@...ibm.com>,
	"David Howells" <dhowells@...hat.com>
Subject: Re: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

Mimi Zohar <zohar@...ux.vnet.ibm.com> writes:
> From: Dmitry Kasatkin <dmitry.kasatkin@...el.com>
>
> Signed modules are only as secure as the private key used to sign
> them.  This patch limits access to the private key by limiting the
> private key's existence to 'modules_install'(ie. this is meant for
> local developers, not distros.)
>
> This patch defines a new kernel build command line parameter
> called MODSIG (eg. make MODSIG=1 modules_install) and adds
> support for ephemeral keys.
>
> MODSIG=1 creates an ephemeral key pair during 'modules_install',
> forcing the rebuilding of the bzImage containing the new ephemeral
> builtin public key, signs the kernel modules with the private key,
> and then destroys the private key, limiting the existance of the
> private key to the 'modules_install' execution time.  (The private
> key's existence could be further limited, if the key generation
> wasn't tied to a specific file, but defined as a separate target.)

OK, I like the idea of this, though I'm not sure I'd personally use it
because I run modules_install as root, and thus I'd have root-owned
turds left in my tree.

If there are no complaints, I'll apply this.

Cheers,
Rusty.

> Another possible MODSIG option would be to password protect the
> private key.  Although this option is not as safe as removing the
> private key, it would not require rebuilding the bzImage, as the
> key pair is generated during 'make'.
>
> Changelog v1:
> - rebased on the upsteamed kernel module support
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@...el.com>
> Signed-off-by: Mimi Zohar <zohar@...ibm.com>
> ---
>  Makefile |   26 ++++++++++++++++++++++++++
>  1 files changed, 26 insertions(+), 0 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 9f6ca12..d0dd777 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -718,10 +718,17 @@ mod_strip_cmd = true
>  endif # INSTALL_MOD_STRIP
>  export mod_strip_cmd
>  
> +export KBUILD_MODSIG := 0
>  
>  ifeq ($(CONFIG_MODULE_SIG),y)
>  MODSECKEY = ./signing_key.priv
>  MODPUBKEY = ./signing_key.x509
> +
> +# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
> +ifeq ("$(origin MODSIG)", "command line")
> +KBUILD_MODSIG := $(MODSIG)
> +endif
> +
>  export MODPUBKEY
>  mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
>  else
> @@ -957,8 +964,27 @@ modules_prepare: prepare scripts
>  
>  # Target to install modules
>  PHONY += modules_install
> +
> +# Create an ephemeral keypair before module install
> +ifeq ($(KBUILD_MODSIG),1)
> +modules_install: _newmodpubkey_
> +endif
> +
>  modules_install: _modinst_ _modinst_post
>  
> +ifeq ($(KBUILD_MODSIG),1)
> +modules_install:  _rmprivkey_
> +endif
> +
> +PHONY += _newmodpubkey_
> +_newmodpubkey_: 
> +	@rm -f $(MODSECKEY) $(MODPUBKEY)
> +	$(Q)$(MAKE) -W kernel/modsign_pubkey.o
> +
> +PHONY += _rmprivkey_ 
> +_rmprivkey_: 
> +	@rm -f $(MODSECKEY)
> +
>  PHONY += _modinst_
>  _modinst_:
>  	@rm -rf $(MODLIB)/kernel
> -- 
> 1.7.7.6


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ