From: kpcyrd <kpcyrd@archlinux.org>
To: "Thomas Weißschuh" <linux@weissschuh.net>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nicolas Schier" <nicolas@fjasle.eu>,
"Arnd Bergmann" <arnd@arndb.de>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Petr Pavlu" <petr.pavlu@suse.com>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Daniel Gomez" <da.gomez@samsung.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jonathan Corbet" <corbet@lwn.net>
Cc: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Arnout Engelen" <arnout@bzzt.net>,
"Mattia Rizzolo" <mattia@mapreri.org>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org
Subject: Re: [PATCH v2 6/6] module: Introduce hash-based integrity checking
Date: Thu, 23 Jan 2025 00:28:40 +0100 [thread overview]
Message-ID: <8e5b171d-78fa-4cba-8217-1a661d23785b@archlinux.org> (raw)
In-Reply-To: <20250120-module-hashes-v2-6-ba1184e27b7f@weissschuh.net>
Hi!
Thanks for reaching out, also your work on this is much appreciated and
followed with great interest. <3
On 1/20/25 6:44 PM, Thomas Weißschuh wrote:
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index effe1db02973d4f60ff6cbc0d3b5241a3576fa3e..094ace81d795711b56d12a2abc75ea35449c8300 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -3218,6 +3218,12 @@ static int module_integrity_check(struct load_info *info, int flags)
> {
> int err = 0;
>
> + if (IS_ENABLED(CONFIG_MODULE_HASHES)) {
> + err = module_hash_check(info, flags);
> + if (!err)
> + return 0;
> + }
> +
> if (IS_ENABLED(CONFIG_MODULE_SIG))
> err = module_sig_check(info, flags);
>
From how I'm reading this (please let me know if I'm wrong):
## !CONFIG_MODULE_HASHES && !CONFIG_MODULE_SIG
No special checks, CAP_SYS_MODULE only.
## !CONFIG_MODULE_HASHES && CONFIG_MODULE_SIG
No change from how things work today:
- if the module signature verifies the module is permitted
- else, if sig_enforce=1, the module is rejected
- else, if lockdown mode is enabled, the module is rejected
- else, the module is permitted
## CONFIG_MODULE_HASHES && CONFIG_MODULE_SIG
This configuration is the one relevant for Arch Linux:
- if the module is in the set of allowed module_hashes it is permitted
- else, if the module signature verifies, the module is permitted
- else, if sig_enforce=1, the module is rejected
- else, if lockdown mode is enabled, the module is rejected
- else, the module is permitted
## CONFIG_MODULE_HASHES && !CONFIG_MODULE_SIG
This one is new:
- if the module is in the set of allowed module_hashes it is permitted
- else, if lockdown mode is enabled, the module is rejected
- else, the module is permitted
---
This all seems reasonable to me, maybe the check for
is_module_sig_enforced() could be moved from kernel/module/signing.c to
kernel/module/main.c, otherwise `sig_enforce=1` would not have any
effect for a `CONFIG_MODULE_HASHES && !CONFIG_MODULE_SIG` kernel.
cheers,
kpcyrd
next prev parent reply other threads:[~2025-01-22 23:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-20 17:44 [PATCH v2 0/6] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 1/6] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 2/6] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 3/6] module: Move integrity checks into dedicated function Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 4/6] module: Move lockdown check into generic module loader Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 5/6] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 6/6] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-01-22 23:28 ` kpcyrd [this message]
2025-03-06 8:10 ` Thomas Weißschuh
2025-02-03 14:22 ` Petr Pavlu
2025-02-04 21:22 ` Thomas Weißschuh
2025-01-21 10:26 ` [PATCH v2 0/6] " Roberto Sassu
2025-01-21 12:58 ` Thomas Weißschuh
2025-01-21 13:11 ` Roberto Sassu
2025-01-25 21:16 ` Câju Mihai-Drosi
2025-02-03 13:14 ` Christian Heusel
2025-02-04 21:08 ` Thomas Weißschuh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8e5b171d-78fa-4cba-8217-1a661d23785b@archlinux.org \
--to=kpcyrd@archlinux.org \
--cc=arnd@arndb.de \
--cc=arnout@bzzt.net \
--cc=corbet@lwn.net \
--cc=da.gomez@samsung.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=masahiroy@kernel.org \
--cc=mattia@mapreri.org \
--cc=mcgrof@kernel.org \
--cc=nathan@kernel.org \
--cc=nicolas@fjasle.eu \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox