LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SecureBoot can't come soon enough

SecureBoot can't come soon enough

Posted Nov 22, 2012 8:46 UTC (Thu) by paulj (subscriber, #341)
Parent article: A rootkit dissected

So that we can be protected from our kernel code being maliciously replaced in such ways...

(Log in to post comments)

SecureBoot can't come soon enough

Posted Nov 22, 2012 11:42 UTC (Thu) by cesarb (subscriber, #6266) [Link]

SecureBoot by itself would not help, since the bootloader and kernel are not being modified. It is loading a module, so disabling module loading is what would help.

When SecureBoot is used, the kernel will disable loading modules, but you do not need SecureBoot to do so yourself.

SecureBoot can't come soon enough

Posted Nov 22, 2012 15:52 UTC (Thu) by raven667 (subscriber, #5198) [Link]

> When SecureBoot is used, the kernel will disable loading modules, but you do not need SecureBoot to do so yourself.

Although without checking of the bootloader you could create a grub module which would inject code or silently enable module loading as the kernel booted so that a rootkit could persist. And even with secureboot and disabling of unsigned module loading you can still inject code into the kernel using any kernel vulnerability accessible from userspace and use that to load a module or enable module loading.

It's good that most of these rootkits are clearly made by amateurs, what would a linux rootkit look like if it had the professional resources of cyber-weapons like Stuxnet or Flame?

SecureBoot can't come soon enough

Posted Nov 22, 2012 16:40 UTC (Thu) by nix (subscriber, #2304) [Link]

It would look invisible. :)

(Perhaps you're infected already! Look behind you!)

SecureBoot can't come soon enough

Posted Nov 22, 2012 16:54 UTC (Thu) by dps (subscriber, #5725) [Link]

My preferred fix would be module signing. If the required key was either not present, because I compiled the kernel elsewhere, or securely shredded then loading the module would fail and there would be a nasty message in the kernel log.

Real experts could just replace the kernel too but script kiddies can't. I can't afford to implement write protected /, /usr, kernel image, etc. If udev or systemd can't cope then I would use something simpler which can.

My personal firewall machine (original pentium with 2 * 10/100 ethernet) uses a kernel does not support modules, period. I don't need SecureBoot to stop you loading modules on that box :-)

SecureBoot can't come soon enough

Posted Nov 22, 2012 19:32 UTC (Thu) by Seegras (subscriber, #20463) [Link]

> ... uses a kernel does not support modules, period. I don't need
> SecureBoot to stop you loading modules on that box :-)

Aye. I've got no module-loading capability on my firewalls and servers either. For years.

SecureBoot can't come soon enough

Posted Nov 23, 2012 0:02 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

There's plenty of ways for root to modify your running kernel without loading modules. Restrictions on module loading are necessary for improved security, but not sufficient.

SecureBoot can't come soon enough

Posted Nov 22, 2012 21:23 UTC (Thu) by paulj (subscriber, #341) [Link]

Disabling module loading doesn't stop modules being loaded though...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds