Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Dmitry Kasatkin <dmitry.kasatkin <at> intel.com>
Subject: [RFC v2 0/7] modsig: signature based kernel module integrity verfication
Newsgroups: gmane.linux.kernel
Date: Wednesday 15th August 2012 18:43:05 UTC (over 4 years ago)
Hello,

IMA measures/appraises modules when modprobe or insmod opens and reads
them.
Unfortunately, there are no guarantees between what is read by userspace
and
what is passed to the kernel via load_module system call. This patch adds
support for digital signature verification of kernel modules.

It uses the upstreamed digital signature verification support, which is
also
used by IMA/EVM. There is no dependency on IMA/EVM, but both use the same
signature and key formats, defined by digital signature verification
support.

These patches are intended to support the different use cases, from an
individual developer creating ephemeral keys, to the distro having an
existing signing mechanism in place.

For the distro, a well known public key can simply be embedded in the
kernel during the 'make' process.

For the developer, these patches create an ephemeral key during module
install, in order to limit the duration of the private key's existence.
Unfortunately, this necessitates embedding the public key in the kernel,
after the kernel has already been built.  A new make target called
'signed_modules_install', creates the keypair, signs the modules,
removes the private key, and then, for now, recompiles the kernel using
'make bzImage'.  For the developer, instead of doing 'make
modules_install', the new build process would be 'make', followed by
'make signed_modules_install' and 'make install'.

Scripts:
- new scripts/ksign.sh and scripts/genkey.sh scripts
- new targets signed_module_install and genkey for the top Makefile
- scripts/Makefile.modinst changes

Changelog v2:
- Replaces passing the signature as a separate argument, with appending
  the signature to the kernel module during module install, as suggested
  by Rusty Russell. (No module-init-tools changes required.)
- The signature is created during module install, after the module was
  possibly stripped.
- Added support for using a builtin public key. (No requirement for an
  initramfs to load the public key.)
- Added key creation and signing support to kernel Makefiles.
- Permits developers to conveniently sign their own modules with an
  ephemeral key using "make signed_modules_install".

- Dmitry & Mimi

Dmitry Kasatkin (4):
  integrity: added digest calculation function
  modsig: add integrity_module_check hook
  modsig: verify module integrity based on signature
  modsig: build rules and scripts to generate keys and sign modules

Mimi Zohar (3):
  keys: initialize root uid and session keyrings early
  integrity: create and inititialize a keyring with builtin public key
  modsig: initialize the _module public key keyring

 Makefile                           |   38 ++++++++++
 include/linux/integrity.h          |   10 +++
 kernel/module.c                    |    9 +++
 scripts/Makefile.modinst           |    1 +
 scripts/genkey.sh                  |  135
++++++++++++++++++++++++++++++++++++
 scripts/ksign.sh                   |   64 +++++++++++++++++
 security/integrity/Kconfig         |   21 ++++++
 security/integrity/Makefile        |   18 +++++
 security/integrity/digsig.c        |   31 ++++++++-
 security/integrity/digsig_pubkey.c |   96 +++++++++++++++++++++++++
 security/integrity/integrity.h     |   13 ++++
 security/integrity/module.c        |   91 ++++++++++++++++++++++++
 security/keys/Makefile             |    1 +
 security/keys/root_keyring.c       |   18 +++++
 14 files changed, 544 insertions(+), 2 deletions(-)
 create mode 100755 scripts/genkey.sh
 create mode 100755 scripts/ksign.sh
 create mode 100644 security/integrity/digsig_pubkey.c
 create mode 100644 security/integrity/module.c
 create mode 100644 security/keys/root_keyring.c

-- 
1.7.9.5
 
CD: 3ms