1 |
On Fri, 22 Mar 2019 14:46:20 +0000 Peter Humphrey wrote: |
2 |
> Hello list, |
3 |
> |
4 |
> Years ago, in the days of Yggdrasil I think, the received wisdom was that |
5 |
> enabling kernel module loading was a bad idea because an attacker might be |
6 |
> able to load malicious software directly into the kernel. No modules --> one |
7 |
> more attack route closed. |
8 |
> |
9 |
> What is the current thinking on this topic? I'm not trolling; I'd like to know |
10 |
> which way to go with a new box. |
11 |
|
12 |
These days one can configure kernel to load only signed modules |
13 |
(with public key compiled into kernel) and refuse to load all |
14 |
unsigned modules [CONFIG_MODULE_SIG_FORCE]. During normal kernel |
15 |
build process all legitimate modules will be signed |
16 |
[CONFIG_MODULE_SIG_ALL]. All out-of-tree modules may be signed |
17 |
manually as well [scripts/sign-file]. Afterwards signing key |
18 |
[certs/signing_key.pem] may be removed from the system (e.g. |
19 |
encrypted or deleted). |
20 |
|
21 |
The benefit of this approach compared to kernel without modules is: |
22 |
1) out of the tree kernel modules can be used (e.g. I use openafs) |
23 |
2) kernel can be made smaller and faster by removing rarely needed |
24 |
functionality into modules (e.g. support for various USB devices, |
25 |
network protocols or filters and other subsystems which are not used |
26 |
on daily basis, but may be needed occasionally). |
27 |
|
28 |
Best regards, |
29 |
Andrew Savchenko |