FS#64793 - [linux] Kernel lockdown: Signed out of tree modules
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 10 December 2019, 12:41 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:23 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 10 December 2019, 12:41 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:23 GMT
|
Details
Since Linux 5.4, the kernel supports a hardening feature
called "lockdown". Once enabled, this prevents (among other
things) kernel modules from being loaded unless they are
signed [1] with the same key as the kernel itself. Usually,
this would be enabled in early boot using the
"lockdown=confidentiality" parameter on the kernel cmdline
in the bootloader.
However, a side effect of this is that out of tree modules (like DKMS modules, and those out of tree modules that Archlinux ships as addional precompiled packages in its repositories) cannot be loaded anymore once lockdown is enabled. It seems desirable that those precompiled modules (I'm mainly thinking of wireguard, but there are other precompiled modules that could benefit from this as well) would be signed using the private key that is autogenerated for module signing whilst the respective kernel package is built. That private key can be found in ./certs/signing_key.pem after the kernel was built (with . being the root directory of the kernel source tree). Obviously this still wouldn't allow people to use DKMS if they enable lockdown, but it would still be better than nothing I guess. [1] https://www.kernel.org/doc/html/v5.4/admin-guide/module-signing.html |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:23 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/linux/issues/11
Saturday, 25 November 2023, 20:23 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/linux/issues/11
Comment by
Michel Koss (MichelKoss1) -
Wednesday, 11 December 2019, 12:20 GMT
Comment by
Jan Alexander Steffens (heftig) -
Thursday, 27 July 2023, 23:04 GMT
Comment by
Buggy McBugFace (bugbot) - Tuesday,
08 August 2023, 19:11 GMT
Currently signing key is created and discarded during kernel build
and never leaves build machine. Your proposition means it would
have to be stored permanently and shared among maintainers of all
kernels and kernel modules. This is huge responsibility and I
believe nobody was going to take it.
Exactly. We currently cannot handle such a secret key.
This is an automated comment as this bug is open for more then 2
years. Please reply if you still experience this bug otherwise
this issue will be closed after 1 month.