Re: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Rusty Russell <rusty@rustcorp.com.au>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	linux-security-module@vger.kernel.org
Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>,
	linux-kernel@vger.kernel.org, Mimi Zohar <zohar@us.ibm.com>,
	"David Howells" <dhowells@redhat.com>
Subject: Re: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys
Date: Mon, 03 Dec 2012 11:49:03 +1030	[thread overview]
Message-ID: <877gp0j5kn.fsf@rustcorp.com.au> (raw)
In-Reply-To: <1353939786-4829-1-git-send-email-zohar@linux.vnet.ibm.com>

Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> From: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
>
> Signed modules are only as secure as the private key used to sign
> them.  This patch limits access to the private key by limiting the
> private key's existence to 'modules_install'(ie. this is meant for
> local developers, not distros.)
>
> This patch defines a new kernel build command line parameter
> called MODSIG (eg. make MODSIG=1 modules_install) and adds
> support for ephemeral keys.
>
> MODSIG=1 creates an ephemeral key pair during 'modules_install',
> forcing the rebuilding of the bzImage containing the new ephemeral
> builtin public key, signs the kernel modules with the private key,
> and then destroys the private key, limiting the existance of the
> private key to the 'modules_install' execution time.  (The private
> key's existence could be further limited, if the key generation
> wasn't tied to a specific file, but defined as a separate target.)

OK, I like the idea of this, though I'm not sure I'd personally use it
because I run modules_install as root, and thus I'd have root-owned
turds left in my tree.

If there are no complaints, I'll apply this.

Cheers,
Rusty.

> Another possible MODSIG option would be to password protect the
> private key.  Although this option is not as safe as removing the
> private key, it would not require rebuilding the bzImage, as the
> key pair is generated during 'make'.
>
> Changelog v1:
> - rebased on the upsteamed kernel module support
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
> ---
>  Makefile |   26 ++++++++++++++++++++++++++
>  1 files changed, 26 insertions(+), 0 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 9f6ca12..d0dd777 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -718,10 +718,17 @@ mod_strip_cmd = true
>  endif # INSTALL_MOD_STRIP
>  export mod_strip_cmd
>  
> +export KBUILD_MODSIG := 0
>  
>  ifeq ($(CONFIG_MODULE_SIG),y)
>  MODSECKEY = ./signing_key.priv
>  MODPUBKEY = ./signing_key.x509
> +
> +# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
> +ifeq ("$(origin MODSIG)", "command line")
> +KBUILD_MODSIG := $(MODSIG)
> +endif
> +
>  export MODPUBKEY
>  mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
>  else
> @@ -957,8 +964,27 @@ modules_prepare: prepare scripts
>  
>  # Target to install modules
>  PHONY += modules_install
> +
> +# Create an ephemeral keypair before module install
> +ifeq ($(KBUILD_MODSIG),1)
> +modules_install: _newmodpubkey_
> +endif
> +
>  modules_install: _modinst_ _modinst_post
>  
> +ifeq ($(KBUILD_MODSIG),1)
> +modules_install:  _rmprivkey_
> +endif
> +
> +PHONY += _newmodpubkey_
> +_newmodpubkey_: 
> +	@rm -f $(MODSECKEY) $(MODPUBKEY)
> +	$(Q)$(MAKE) -W kernel/modsign_pubkey.o
> +
> +PHONY += _rmprivkey_ 
> +_rmprivkey_: 
> +	@rm -f $(MODSECKEY)
> +
>  PHONY += _modinst_
>  _modinst_:
>  	@rm -rf $(MODLIB)/kernel
> -- 
> 1.7.7.6

next prev parent reply	other threads:[~2012-12-03  2:44 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-26 14:23 [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys Mimi Zohar
2012-11-26 14:23 ` [RFC][PATCH 2/2] modsig: differentiate between ephemeral and persistent key names Mimi Zohar
2012-12-03  1:26   ` Rusty Russell
2012-12-03  4:09     ` Mimi Zohar
2012-12-03  1:19 ` Rusty Russell [this message]
2012-12-04 18:14   ` [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys David Howells
2012-12-04 19:11     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=877gp0j5kn.fsf@rustcorp.com.au \
    --to=rusty@rustcorp.com.au \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=zohar@linux.vnet.ibm.com \
    --cc=zohar@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox