[RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

[RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

[Mimi Zohar]

From: Dmitry Kasatkin <dmitry.kasatkin@intel.com>

Signed modules are only as secure as the private key used to sign
them.  This patch limits access to the private key by limiting the
private key's existence to 'modules_install'(ie. this is meant for
local developers, not distros.)

This patch defines a new kernel build command line parameter
called MODSIG (eg. make MODSIG=1 modules_install) and adds
support for ephemeral keys.

MODSIG=1 creates an ephemeral key pair during 'modules_install',
forcing the rebuilding of the bzImage containing the new ephemeral
builtin public key, signs the kernel modules with the private key,
and then destroys the private key, limiting the existance of the
private key to the 'modules_install' execution time.  (The private
key's existence could be further limited, if the key generation
wasn't tied to a specific file, but defined as a separate target.)

Another possible MODSIG option would be to password protect the
private key.  Although this option is not as safe as removing the
private key, it would not require rebuilding the bzImage, as the
key pair is generated during 'make'.

Changelog v1:
- rebased on the upsteamed kernel module support

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
---
 Makefile |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/Makefile b/Makefile
index 9f6ca12..d0dd777 100644
--- a/Makefile
+++ b/Makefile
@@ -718,10 +718,17 @@ mod_strip_cmd = true
 endif # INSTALL_MOD_STRIP
 export mod_strip_cmd
 
+export KBUILD_MODSIG := 0
 
 ifeq ($(CONFIG_MODULE_SIG),y)
 MODSECKEY = ./signing_key.priv
 MODPUBKEY = ./signing_key.x509
+
+# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
+ifeq ("$(origin MODSIG)", "command line")
+KBUILD_MODSIG := $(MODSIG)
+endif
+
 export MODPUBKEY
 mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
 else
@@ -957,8 +964,27 @@ modules_prepare: prepare scripts
 
 # Target to install modules
 PHONY += modules_install
+
+# Create an ephemeral keypair before module install
+ifeq ($(KBUILD_MODSIG),1)
+modules_install: _newmodpubkey_
+endif
+
 modules_install: _modinst_ _modinst_post
 
+ifeq ($(KBUILD_MODSIG),1)
+modules_install:  _rmprivkey_
+endif
+
+PHONY += _newmodpubkey_
+_newmodpubkey_: 
+	@rm -f $(MODSECKEY) $(MODPUBKEY)
+	$(Q)$(MAKE) -W kernel/modsign_pubkey.o
+
+PHONY += _rmprivkey_ 
+_rmprivkey_: 
+	@rm -f $(MODSECKEY)
+
 PHONY += _modinst_
 _modinst_:
 	@rm -rf $(MODLIB)/kernel
-- 
1.7.7.6

[RFC][PATCH 2/2] modsig: differentiate between ephemeral and persistent key names

[Mimi Zohar]

Using the same name for ephemeral and "persistent" keys results
in deleting the "persistent" key.  This patch renames the normal
kbuild asymmetric key pair name to "default_signing_key" and the
ephemeral key pair name to "ephemeral_signing_key".

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
---
 Makefile        |   14 +++++++++-----
 kernel/Makefile |   12 ++++++++----
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index d0dd777..525f512 100644
--- a/Makefile
+++ b/Makefile
@@ -721,15 +721,17 @@ export mod_strip_cmd
 export KBUILD_MODSIG := 0
 
 ifeq ($(CONFIG_MODULE_SIG),y)
-MODSECKEY = ./signing_key.priv
-MODPUBKEY = ./signing_key.x509
-
 # Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
 ifeq ("$(origin MODSIG)", "command line")
 KBUILD_MODSIG := $(MODSIG)
+MODSECKEY = ./ephemeral_signing_key.priv
+MODPUBKEY = ./ephemeral_signing_key.x509
+else
+MODSECKEY = ./default_signing_key.priv
+MODPUBKEY = ./default_signing_key.x509
 endif
 
-export MODPUBKEY
+export MODPUBKEY MODSECKEY
 mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
 else
 mod_sign_cmd = true
@@ -1037,7 +1039,9 @@ MRPROPER_DIRS  += include/config usr/include include/generated          \
                   arch/*/include/generated
 MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \
 		  Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
-		  signing_key.priv signing_key.x509 x509.genkey		\
+		  default_signing_key.priv default_signing_key.x509	\
+		  ephemeral_signing_key.priv ephemeral_signing_key.x509 \
+		  signing_key.x509 x509.genkey				\
 		  extra_certificates signing_key.x509.keyid		\
 		  signing_key.x509.signer
 
diff --git a/kernel/Makefile b/kernel/Makefile
index 86e3285..34107d9 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -139,7 +139,11 @@ ifeq ($(CONFIG_MODULE_SIG),y)
 extra_certificates:
 	touch $@
 
-kernel/modsign_pubkey.o: signing_key.x509 extra_certificates
+signing_key.x509: FORCE
+	ln -fs $(MODPUBKEY) $@
+	touch $@
+
+kernel/modsign_pubkey.o: $(MODPUBKEY) signing_key.x509 extra_certificates 
 
 ###############################################################################
 #
@@ -168,7 +172,7 @@ ifeq ($(sign_key_with_hash),)
 $(error Could not determine digest type to use from kernel config)
 endif
 
-signing_key.priv signing_key.x509: x509.genkey
+$(MODSECKEY) $(MODPUBKEY): x509.genkey
 	@echo "###"
 	@echo "### Now generating an X.509 key pair to be used for signing modules."
 	@echo "###"
@@ -179,8 +183,8 @@ signing_key.priv signing_key.x509: x509.genkey
 	@echo "###"
 	openssl req -new -nodes -utf8 $(sign_key_with_hash) -days 36500 -batch \
 		-x509 -config x509.genkey \
-		-outform DER -out signing_key.x509 \
-		-keyout signing_key.priv
+		-outform DER -out $(MODPUBKEY) \
+		-keyout $(MODSECKEY)
 	@echo "###"
 	@echo "### Key pair generated."
 	@echo "###"
-- 
1.7.7.6

Re: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

[Rusty Russell]

Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> From: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
>
> Signed modules are only as secure as the private key used to sign
> them.  This patch limits access to the private key by limiting the
> private key's existence to 'modules_install'(ie. this is meant for
> local developers, not distros.)
>
> This patch defines a new kernel build command line parameter
> called MODSIG (eg. make MODSIG=1 modules_install) and adds
> support for ephemeral keys.
>
> MODSIG=1 creates an ephemeral key pair during 'modules_install',
> forcing the rebuilding of the bzImage containing the new ephemeral
> builtin public key, signs the kernel modules with the private key,
> and then destroys the private key, limiting the existance of the
> private key to the 'modules_install' execution time.  (The private
> key's existence could be further limited, if the key generation
> wasn't tied to a specific file, but defined as a separate target.)

OK, I like the idea of this, though I'm not sure I'd personally use it
because I run modules_install as root, and thus I'd have root-owned
turds left in my tree.

If there are no complaints, I'll apply this.

Cheers,
Rusty.

> Another possible MODSIG option would be to password protect the
> private key.  Although this option is not as safe as removing the
> private key, it would not require rebuilding the bzImage, as the
> key pair is generated during 'make'.
>
> Changelog v1:
> - rebased on the upsteamed kernel module support
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
> ---
>  Makefile |   26 ++++++++++++++++++++++++++
>  1 files changed, 26 insertions(+), 0 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 9f6ca12..d0dd777 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -718,10 +718,17 @@ mod_strip_cmd = true
>  endif # INSTALL_MOD_STRIP
>  export mod_strip_cmd
>  
> +export KBUILD_MODSIG := 0
>  
>  ifeq ($(CONFIG_MODULE_SIG),y)
>  MODSECKEY = ./signing_key.priv
>  MODPUBKEY = ./signing_key.x509
> +
> +# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
> +ifeq ("$(origin MODSIG)", "command line")
> +KBUILD_MODSIG := $(MODSIG)
> +endif
> +
>  export MODPUBKEY
>  mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
>  else
> @@ -957,8 +964,27 @@ modules_prepare: prepare scripts
>  
>  # Target to install modules
>  PHONY += modules_install
> +
> +# Create an ephemeral keypair before module install
> +ifeq ($(KBUILD_MODSIG),1)
> +modules_install: _newmodpubkey_
> +endif
> +
>  modules_install: _modinst_ _modinst_post
>  
> +ifeq ($(KBUILD_MODSIG),1)
> +modules_install:  _rmprivkey_
> +endif
> +
> +PHONY += _newmodpubkey_
> +_newmodpubkey_: 
> +	@rm -f $(MODSECKEY) $(MODPUBKEY)
> +	$(Q)$(MAKE) -W kernel/modsign_pubkey.o
> +
> +PHONY += _rmprivkey_ 
> +_rmprivkey_: 
> +	@rm -f $(MODSECKEY)
> +
>  PHONY += _modinst_
>  _modinst_:
>  	@rm -rf $(MODLIB)/kernel
> -- 
> 1.7.7.6

Re: [RFC][PATCH 2/2] modsig: differentiate between ephemeral and persistent key names

[Rusty Russell]

Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> Using the same name for ephemeral and "persistent" keys results
> in deleting the "persistent" key.  This patch renames the normal
> kbuild asymmetric key pair name to "default_signing_key" and the
> ephemeral key pair name to "ephemeral_signing_key".

I like the idea: I was always uncomfortable with the mixing of
persistent and temporary keys.  But it's a bit misguided, because surely
persistent keys don't belong in the build tree at all.

How about we do something like:

# Default to temporary keys
MODKEYPREFIX = ./temp_signing_key

MODSECKEY = $(MODKEYPREFIX).priv
MODPUBKEY = $(MODKEYPREFIX).x509

Then encourage people to do:

        make MODKEYPREFIX=...

We could also use a config option to set the path, but that's probably
less convenient.

Cheers,
Rusty.

Re: [RFC][PATCH 2/2] modsig: differentiate between ephemeral and persistent key names

[Mimi Zohar]

On Mon, 2012-12-03 at 11:56 +1030, Rusty Russell wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> > Using the same name for ephemeral and "persistent" keys results
> > in deleting the "persistent" key.  This patch renames the normal
> > kbuild asymmetric key pair name to "default_signing_key" and the
> > ephemeral key pair name to "ephemeral_signing_key".
> 
> I like the idea: I was always uncomfortable with the mixing of
> persistent and temporary keys.  But it's a bit misguided, because surely
> persistent keys don't belong in the build tree at all.

The original intent of the patch was to differentiate between a key
generated as part of the kbuild process, that exists for an indefinite
period of time, versus an ephemeral key, which is created and
immediately thrown away, after signing the kernel modules.

> 
> How about we do something like:
> 
> # Default to temporary keys
> MODKEYPREFIX = ./temp_signing_key
> 
> MODSECKEY = $(MODKEYPREFIX).priv
> MODPUBKEY = $(MODKEYPREFIX).x509
> 
> Then encourage people to do:
> 
>         make MODKEYPREFIX=...

Although your suggestion addresses a different use case scenario, I like
it a lot.  Fortunately, it also works for the above ephemeral use case.
The default temporary key would be persistent across builds, while an
ephemeral key could be defined as "MODKEYPREFIX
= ./ephemeral_signing_key".

My main concern is having to force modsign_pubkey to be rebuilt each and
every time, since there is no way of knowing which key was previously
included.

> We could also use a config option to set the path, but that's probably
> less convenient.

Definitely less convenient.  I assume the normal use case for developers
would be multiple builds, followed by an install.  Each build shouldn't
require regenerating a new keypair, nor at the point that we're ready to
sign and install the kernel modules and image, do we want to change
the .config, which would result in additional, as you put it, root owned
turds.

thanks,

Mimi

Re: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

[David Howells]

Rusty Russell <rusty@rustcorp.com.au> wrote:

> > +PHONY += _newmodpubkey_
> > +_newmodpubkey_: 
> > +	@rm -f $(MODSECKEY) $(MODPUBKEY)
> > +	$(Q)$(MAKE) -W kernel/modsign_pubkey.o

Please don't do this.  It can muck up the dependencies as make thinks it has
already done this file at this point.  Also, rebuilding bzImage yet again
wouldn't be the best.  We already do it a number of times.  Further, if
vmlinux is already installed when you rebuild, you may confuse gdb if the
debuginfo then no longer matches vmlinux.

You have to expose the private key *anyway* - so how much does this actually
gain you?  Especially with a one-shot transient key.

David

Re: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

[Mimi Zohar]

On Tue, 2012-12-04 at 18:14 +0000, David Howells wrote:
> Rusty Russell <rusty@rustcorp.com.au> wrote:
> 
> > > +PHONY += _newmodpubkey_
> > > +_newmodpubkey_: 
> > > +	@rm -f $(MODSECKEY) $(MODPUBKEY)
> > > +	$(Q)$(MAKE) -W kernel/modsign_pubkey.o
> 
> Please don't do this.  It can muck up the dependencies as make thinks it has
> already done this file at this point.  Also, rebuilding bzImage yet again
> wouldn't be the best.  We already do it a number of times.  Further, if
> vmlinux is already installed when you rebuild, you may confuse gdb if the
> debuginfo then no longer matches vmlinux.

> You have to expose the private key *anyway* - so how much does this actually
> gain you?  Especially with a one-shot transient key.

The issue is creating a new keypair is tied to modsign_pubkey.  This
patch forces the creation of a new keypair, by removing the existing
one, compiles modsign_pubkey.o, and rebuilds the bzImage, and only then
signs the kernel modules and removes the private key.  The benefits of
defining a separate target to generate a keypair are described in the
patch description.

Mimi