FS#64793 - [linux] Kernel lockdown: Signed out of tree modules

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 10 December 2019, 12:41 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:23 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No


Since Linux 5.4, the kernel supports a hardening feature called "lockdown". Once enabled, this prevents (among other things) kernel modules from being loaded unless they are signed [1] with the same key as the kernel itself. Usually, this would be enabled in early boot using the "lockdown=confidentiality" parameter on the kernel cmdline in the bootloader.

However, a side effect of this is that out of tree modules (like DKMS modules, and those out of tree modules that Archlinux ships as addional precompiled packages in its repositories) cannot be loaded anymore once lockdown is enabled.

It seems desirable that those precompiled modules (I'm mainly thinking of wireguard, but there are other precompiled modules that could benefit from this as well) would be signed using the private key that is autogenerated for module signing whilst the respective kernel package is built. That private key can be found in ./certs/signing_key.pem after the kernel was built (with . being the root directory of the kernel source tree). Obviously this still wouldn't allow people to use DKMS if they enable lockdown, but it would still be better than nothing I guess.

[1] https://www.kernel.org/doc/html/v5.4/admin-guide/module-signing.html
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:23 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/linux/issues/11
Comment by Michel Koss (MichelKoss1) - Wednesday, 11 December 2019, 12:20 GMT
Currently signing key is created and discarded during kernel build and never leaves build machine. Your proposition means it would have to be stored permanently and shared among maintainers of all kernels and kernel modules. This is huge responsibility and I believe nobody was going to take it.
Comment by Jan Alexander Steffens (heftig) - Thursday, 27 July 2023, 23:04 GMT
Exactly. We currently cannot handle such a secret key.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.