[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

allow loading signed kernel modules by default / disallow kernel module loading by default

We can restrict kernel modules to only be loaded if they’re signed by a valid key. This increases security by making it harder to load a malicious module. We can do this by adding module.sig_enforce=1 as a kernel parameter.

https://www.kernel.org/doc/html/v4.19/admin-guide/module-signing.html

We can also prevent kernel modules from being loaded or unloaded after boot by setting kernel.modules_disabled=1 with sysctl. I don’t really see a point in this though as module loading requires root and if an attacker has root already, there’s no point in attempting to load a module. Even if the attacker did need to load a module, they could just set kernel.modules_disabled=0 with sysctl as they have root anyway. For some reason, the lockdown patch sets this but I don’t see any real security advantage and only potential breakages.

1 Like

madaidan via Whonix Forum:

We can restrict kernel modules to only be loaded if they’re signed by a valid key. This increases security by making it harder to load a malicious module. We can do this by adding module.sig_enforce=1 as a kernel parameter.

With the same logic (as you used later on in your post), can’t root just
undo that?

1 Like

This would help if the user accidentally loads a malicious module and didn’t know about it. This also requires a reboot to remove the kernel parameter so it’s harder for an attacker to do it.

The bad thing with this though is that it would prevent out-of-tree kernel modules from being loaded. Any module that isn’t part of the original kernel source code can’t be loaded. This includes things like the wireguard module.

1 Like

Leaving this open a bit for more comments if any.

1 Like

Please implement.

See also:

1 Like
1 Like

Thanks, merged!

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]