| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 03 Dec 2012 11:49:03 +1030
From: Rusty Russell <rusty@...tcorp.com.au>
To: Mimi Zohar <zohar@...ux.vnet.ibm.com>,
linux-security-module@...r.kernel.org
Cc: Dmitry Kasatkin <dmitry.kasatkin@...el.com>,
linux-kernel@...r.kernel.org, Mimi Zohar <zohar@...ibm.com>,
"David Howells" <dhowells@...hat.com>
Subject: Re: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys
Mimi Zohar <zohar@...ux.vnet.ibm.com> writes:
> From: Dmitry Kasatkin <dmitry.kasatkin@...el.com>
>
> Signed modules are only as secure as the private key used to sign
> them. This patch limits access to the private key by limiting the
> private key's existence to 'modules_install'(ie. this is meant for
> local developers, not distros.)
>
> This patch defines a new kernel build command line parameter
> called MODSIG (eg. make MODSIG=1 modules_install) and adds
> support for ephemeral keys.
>
> MODSIG=1 creates an ephemeral key pair during 'modules_install',
> forcing the rebuilding of the bzImage containing the new ephemeral
> builtin public key, signs the kernel modules with the private key,
> and then destroys the private key, limiting the existance of the
> private key to the 'modules_install' execution time. (The private
> key's existence could be further limited, if the key generation
> wasn't tied to a specific file, but defined as a separate target.)
OK, I like the idea of this, though I'm not sure I'd personally use it
because I run modules_install as root, and thus I'd have root-owned
turds left in my tree.
If there are no complaints, I'll apply this.
Cheers,
Rusty.
> Another possible MODSIG option would be to password protect the
> private key. Although this option is not as safe as removing the
> private key, it would not require rebuilding the bzImage, as the
> key pair is generated during 'make'.
>
> Changelog v1:
> - rebased on the upsteamed kernel module support
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@...el.com>
> Signed-off-by: Mimi Zohar <zohar@...ibm.com>
> ---
> Makefile | 26 ++++++++++++++++++++++++++
> 1 files changed, 26 insertions(+), 0 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 9f6ca12..d0dd777 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -718,10 +718,17 @@ mod_strip_cmd = true
> endif # INSTALL_MOD_STRIP
> export mod_strip_cmd
>
> +export KBUILD_MODSIG := 0
>
> ifeq ($(CONFIG_MODULE_SIG),y)
> MODSECKEY = ./signing_key.priv
> MODPUBKEY = ./signing_key.x509
> +
> +# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
> +ifeq ("$(origin MODSIG)", "command line")
> +KBUILD_MODSIG := $(MODSIG)
> +endif
> +
> export MODPUBKEY
> mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
> else
> @@ -957,8 +964,27 @@ modules_prepare: prepare scripts
>
> # Target to install modules
> PHONY += modules_install
> +
> +# Create an ephemeral keypair before module install
> +ifeq ($(KBUILD_MODSIG),1)
> +modules_install: _newmodpubkey_
> +endif
> +
> modules_install: _modinst_ _modinst_post
>
> +ifeq ($(KBUILD_MODSIG),1)
> +modules_install: _rmprivkey_
> +endif
> +
> +PHONY += _newmodpubkey_
> +_newmodpubkey_:
> + @rm -f $(MODSECKEY) $(MODPUBKEY)
> + $(Q)$(MAKE) -W kernel/modsign_pubkey.o
> +
> +PHONY += _rmprivkey_
> +_rmprivkey_:
> + @rm -f $(MODSECKEY)
> +
> PHONY += _modinst_
> _modinst_:
> @rm -rf $(MODLIB)/kernel
> --
> 1.7.7.6
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists