|| ||Dmitry Kasatkin <firstname.lastname@example.org> |
|| ||email@example.com, firstname.lastname@example.org, email@example.com,
|| ||[RFC v2 0/7] modsig: signature based kernel module integrity verfication |
|| ||Wed, 15 Aug 2012 21:43:05 +0300|
|| ||Article, Thread
IMA measures/appraises modules when modprobe or insmod opens and reads them.
Unfortunately, there are no guarantees between what is read by userspace and
what is passed to the kernel via load_module system call. This patch adds
support for digital signature verification of kernel modules.
It uses the upstreamed digital signature verification support, which is also
used by IMA/EVM. There is no dependency on IMA/EVM, but both use the same
signature and key formats, defined by digital signature verification support.
These patches are intended to support the different use cases, from an
individual developer creating ephemeral keys, to the distro having an
existing signing mechanism in place.
For the distro, a well known public key can simply be embedded in the
kernel during the 'make' process.
For the developer, these patches create an ephemeral key during module
install, in order to limit the duration of the private key's existence.
Unfortunately, this necessitates embedding the public key in the kernel,
after the kernel has already been built. A new make target called
'signed_modules_install', creates the keypair, signs the modules,
removes the private key, and then, for now, recompiles the kernel using
'make bzImage'. For the developer, instead of doing 'make
modules_install', the new build process would be 'make', followed by
'make signed_modules_install' and 'make install'.
- new scripts/ksign.sh and scripts/genkey.sh scripts
- new targets signed_module_install and genkey for the top Makefile
- scripts/Makefile.modinst changes
- Replaces passing the signature as a separate argument, with appending
the signature to the kernel module during module install, as suggested
by Rusty Russell. (No module-init-tools changes required.)
- The signature is created during module install, after the module was
- Added support for using a builtin public key. (No requirement for an
initramfs to load the public key.)
- Added key creation and signing support to kernel Makefiles.
- Permits developers to conveniently sign their own modules with an
ephemeral key using "make signed_modules_install".
- Dmitry & Mimi
Dmitry Kasatkin (4):
integrity: added digest calculation function
modsig: add integrity_module_check hook
modsig: verify module integrity based on signature
modsig: build rules and scripts to generate keys and sign modules
Mimi Zohar (3):
keys: initialize root uid and session keyrings early
integrity: create and inititialize a keyring with builtin public key
modsig: initialize the _module public key keyring
Makefile | 38 ++++++++++
include/linux/integrity.h | 10 +++
kernel/module.c | 9 +++
scripts/Makefile.modinst | 1 +
scripts/genkey.sh | 135 ++++++++++++++++++++++++++++++++++++
scripts/ksign.sh | 64 +++++++++++++++++
security/integrity/Kconfig | 21 ++++++
security/integrity/Makefile | 18 +++++
security/integrity/digsig.c | 31 ++++++++-
security/integrity/digsig_pubkey.c | 96 +++++++++++++++++++++++++
security/integrity/integrity.h | 13 ++++
security/integrity/module.c | 91 ++++++++++++++++++++++++
security/keys/Makefile | 1 +
security/keys/root_keyring.c | 18 +++++
14 files changed, 544 insertions(+), 2 deletions(-)
create mode 100755 scripts/genkey.sh
create mode 100755 scripts/ksign.sh
create mode 100644 security/integrity/digsig_pubkey.c
create mode 100644 security/integrity/module.c
create mode 100644 security/keys/root_keyring.c
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/