Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#64793 - Kernel lockdown: Signed out of tree modules
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 10 December 2019, 12:41 GMT
Last edited by Jelle van der Waa (jelly) - Tuesday, 10 December 2019, 17:52 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 10 December 2019, 12:41 GMT
Last edited by Jelle van der Waa (jelly) - Tuesday, 10 December 2019, 17:52 GMT
|
DetailsSince Linux 5.4, the kernel supports a hardening feature called "lockdown". Once enabled, this prevents (among other things) kernel modules from being loaded unless they are signed [1] with the same key as the kernel itself. Usually, this would be enabled in early boot using the "lockdown=confidentiality" parameter on the kernel cmdline in the bootloader.
However, a side effect of this is that out of tree modules (like DKMS modules, and those out of tree modules that Archlinux ships as addional precompiled packages in its repositories) cannot be loaded anymore once lockdown is enabled. It seems desirable that those precompiled modules (I'm mainly thinking of wireguard, but there are other precompiled modules that could benefit from this as well) would be signed using the private key that is autogenerated for module signing whilst the respective kernel package is built. That private key can be found in ./certs/signing_key.pem after the kernel was built (with . being the root directory of the kernel source tree). Obviously this still wouldn't allow people to use DKMS if they enable lockdown, but it would still be better than nothing I guess. [1] https://www.kernel.org/doc/html/v5.4/admin-guide/module-signing.html |
This task depends upon
Comment by Michel Koss (MichelKoss1) -
Wednesday, 11 December 2019, 12:20 GMT
Currently signing key is created and discarded during kernel build and never leaves build machine. Your proposition means it would have to be stored permanently and shared among maintainers of all kernels and kernel modules. This is huge responsibility and I believe nobody was going to take it.