Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#64793 - Kernel lockdown: Signed out of tree modules

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 10 December 2019, 12:41 GMT
Last edited by Jelle van der Waa (jelly) - Tuesday, 10 December 2019, 17:52 GMT
Task Type Feature Request
Category Packages: Core
Status Assigned
Assigned To Jan Alexander Steffens (heftig)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No


Since Linux 5.4, the kernel supports a hardening feature called "lockdown". Once enabled, this prevents (among other things) kernel modules from being loaded unless they are signed [1] with the same key as the kernel itself. Usually, this would be enabled in early boot using the "lockdown=confidentiality" parameter on the kernel cmdline in the bootloader.

However, a side effect of this is that out of tree modules (like DKMS modules, and those out of tree modules that Archlinux ships as addional precompiled packages in its repositories) cannot be loaded anymore once lockdown is enabled.

It seems desirable that those precompiled modules (I'm mainly thinking of wireguard, but there are other precompiled modules that could benefit from this as well) would be signed using the private key that is autogenerated for module signing whilst the respective kernel package is built. That private key can be found in ./certs/signing_key.pem after the kernel was built (with . being the root directory of the kernel source tree). Obviously this still wouldn't allow people to use DKMS if they enable lockdown, but it would still be better than nothing I guess.

This task depends upon

Comment by Michel Koss (MichelKoss1) - Wednesday, 11 December 2019, 12:20 GMT
Currently signing key is created and discarded during kernel build and never leaves build machine. Your proposition means it would have to be stored permanently and shared among maintainers of all kernels and kernel modules. This is huge responsibility and I believe nobody was going to take it.