| 1 |
On Fri, 22 Mar 2019 14:46:20 +0000 Peter Humphrey wrote: |
| 2 |
> Hello list, |
| 3 |
> |
| 4 |
> Years ago, in the days of Yggdrasil I think, the received wisdom was that |
| 5 |
> enabling kernel module loading was a bad idea because an attacker might be |
| 6 |
> able to load malicious software directly into the kernel. No modules --> one |
| 7 |
> more attack route closed. |
| 8 |
> |
| 9 |
> What is the current thinking on this topic? I'm not trolling; I'd like to know |
| 10 |
> which way to go with a new box. |
| 11 |
|
| 12 |
These days one can configure kernel to load only signed modules |
| 13 |
(with public key compiled into kernel) and refuse to load all |
| 14 |
unsigned modules [CONFIG_MODULE_SIG_FORCE]. During normal kernel |
| 15 |
build process all legitimate modules will be signed |
| 16 |
[CONFIG_MODULE_SIG_ALL]. All out-of-tree modules may be signed |
| 17 |
manually as well [scripts/sign-file]. Afterwards signing key |
| 18 |
[certs/signing_key.pem] may be removed from the system (e.g. |
| 19 |
encrypted or deleted). |
| 20 |
|
| 21 |
The benefit of this approach compared to kernel without modules is: |
| 22 |
1) out of the tree kernel modules can be used (e.g. I use openafs) |
| 23 |
2) kernel can be made smaller and faster by removing rarely needed |
| 24 |
functionality into modules (e.g. support for various USB devices, |
| 25 |
network protocols or filters and other subsystems which are not used |
| 26 |
on daily basis, but may be needed occasionally). |
| 27 |
|
| 28 |
Best regards, |
| 29 |
Andrew Savchenko |
Archives