enforce kernel module software signature verification [module signing] / disallow kernel module loading by default

madaidan · October 10, 2019, 4:36pm

The issue was closed.

RFE: add module-load-only-if-modules_disabled.d · Issue #13540 · systemd/systemd · GitHub

I don’t think this is for upstream systemd to manage. It may be possible to declare a static list of modules to load, but it is only possible in very specific circumstances, when you know exactly which hardware, which network devices, which network protocols, which encryption types, etc, etc, any given application will use. But even on a medium-sized distro this would be completely infeasible.

madaidan · October 26, 2019, 6:42pm

https://lists.archlinux.org/pipermail/arch-general/2015-July/039589.html

Signed modules don’t really offer any added security with a vanilla
kernel because root still has full control over the kernel via other
known mechanisms (i.e. no exploits necessary). The feature is mostly useful for enforcing a policy of not allowing third party modules, similar to the kernel taint bits which can be overwritten if you really feel like doing it.

It’s not a very compelling feature though because it’s only truly useful in combination with a fully read-only root and grsecurity’s romount_protect feature.

A strong MAC policy could also plug the other attack routes… but it’s also going to prevent loading modules for that role anyway.

Patrick · December 6, 2019, 8:03am

New versions of DKMS have a SIGN_TOOL= feature. Please have a look, see if that looks alright, and give feedback to the DKMS developers:

module signing for kernel_lockdown · Issue #72 · dell/dkms · GitHub
implement a simple module signing mechanism by xuzhen · Pull Request #87 · dell/dkms · GitHub

SIGN_TOOL=

The module signing tool to be run at a build. Two arguments will be passed to the signing tool. The first argument is the target kernel version, the second is the module file path. If the tool exits with a non-zero value, the build will be aborted.

Patrick · January 19, 2020, 12:56pm

github.com/dell/dkms

add /etc/dkms/framework.conf.d configuration file drop-in folder

opened 12:55PM - 19 Jan 20 UTC

closed 07:32PM - 22 May 22 UTC

adrelanos

Could you please add support for parsing `/etc/dkms/framework.conf.d` configurat…ion file drop-in folder? Similar to `/etc/dkms/framework.conf`. Use cases: * useful for derivative linux distribution * to work around some kernel bug ([possibly this](https://bugzilla.kernel.org/show_bug.cgi?id=196729)) I would like to set `parallel_jobs=1` per VM to work around a [bug](https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26?u=patrick) * to be able to add module signing to modules in a generic way for modules which can't do that themselves yet

Patrick · January 21, 2020, 6:27am

github.com/Kicksecure/hardened-kernel

Sign all kernel modules

Kicksecure:master ← madaidan:module_sig

opened 05:33PM - 20 Jan 20 UTC

madaidan

+12 -12

This signs all kernel modules built from the kernel source tree with SHA-512. Th…is does not yet enforce signature verification (`CONFIG_MODULE_SIG_FORCE`) but is a step closer. We now just need to sign the virtualbox guest additions, lkrg and tirdad modules with the `scripts/sign-file` tool and the `certs/signing_key.pem` private key during installation of those modules.

Where is the signing key stored? Where are the signature keys stored?

OR: What is the full command line to sign a kernel module?

Once I know that, should be possible to create an APT DPkg::Post-Invoke setting (similar to this) which signs these kernel modules.

madaidan · January 21, 2020, 4:56pm

/path/to/kernel_source/certs/signing_key.pem

https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html#manually-signing-modules

So, for us, should be

${kernel_source}/scripts/sign-file sha512 ${kernel_source}/certs/signing_key.pem ${kernel_source}/certs/signing_key.x509 module.ko

Patrick · November 18, 2020, 7:48am

Reconsidering.

Better to sign all kernel modules (this would be helpful for purpose of LKRG, tirdad and hardware comparability, namely compatibility with SecureBoot) than no progress in this ticket at all and no signing at all. A drop-in configuration .d folder where kernel modules are white listed opted in could be contributed later.

Please describe the threat model. Folders where kernel modules are stored (and would be auto-signed) are writeable by (super)admin only anyhow. If an adversary gains write access there, it’s game over anyhow. Therefore I don’t see what is gained by white listing which kernel modules should be signed.

Patrick · April 29, 2021, 2:52pm

DKMS getting module signing support.

github.com

dell/dkms/blob/master/dkms_framework.conf#L30


      
          # copying the modules. This preserves some space on the costs of being less
          # safe. Symlinking will be active if set to a non-null value:
          # symlink_modules=""
          
          # Automatic installation and upgrade for all installed kernels if set to a
          # non-null value:
          # autoinstall_all_kernels=""
          
          # Location of the sign-file kernel binary. $kernelver can be used in path to
          # represent the target kernel version. (default: depends on distribution):
          # sign_file="/path/to/sign-file"
          
          # Location of the key and certificate files used for Secure boot. $kernelver
          # can be used in path to represent the target kernel version.
          #
          # NOTE: If any of the files specified by `mok_signing_key` and
          # `mok_certificate` are non-existant, dkms will re-create both files.
          #
          # mok_signing_key can also be a "pkcs11:..." string for PKCS#11 engine, as
          # long as the sign_file program supports it.
          # (default: /var/lib/dkms):

https://github.com/dell/dkms/blob/master/sign_helper.sh

Dunno when this lands in Debian. Hopefully in Debian bullseye.

If so, since…

github.com/dell/dkms

add /etc/dkms/framework.conf.d configuration file drop-in folder

opened 12:55PM - 19 Jan 20 UTC

closed 07:32PM - 22 May 22 UTC

adrelanos

Could you please add support for parsing `/etc/dkms/framework.conf.d` configurat…ion file drop-in folder? Similar to `/etc/dkms/framework.conf`. Use cases: * useful for derivative linux distribution * to work around some kernel bug ([possibly this](https://bugzilla.kernel.org/show_bug.cgi?id=196729)) I would like to set `parallel_jobs=1` per VM to work around a [bug](https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26?u=patrick) * to be able to add module signing to modules in a generic way for modules which can't do that themselves yet

…isn’t implemented, package security-misc could config-package-dev displace

/etc/dkms/framework.conf

Patrick · April 29, 2021, 3:19pm

github.com/Kicksecure/security-misc

modify DKMS configuration file `/etc/dkms/framework.conf`

committed 03:14PM - 29 Apr 21 UTC

adrelanos

+32 -0

Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of …virtual machines. `parallel_jobs=1` This does not necessarily belong into security-misc, however likely security-misc will need to modify `/etc/dkms/framework.conf` in the future to enable kernel module signing. https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58

Patrick · August 29, 2021, 3:46pm

feature request: Debian package - kernel module signing for kernel_lockdown · Issue #113 · lkrg-org/lkrg · GitHub

Quote:

Some time ago I wrote an article on this subject. it’s in Polish, but all the necessary commands are in place and you will figure out how to make that setup work.

Patrick · November 2, 2023, 5:53pm

Automatic signing of DKMS kernel modules has been implemented by Debian by default in Debian bookworm.

sudo modinfo /lib/modules/6.1.0-13-amd64/updates/dkms/tirdad.ko | grep sign

signer: DKMS module signing key

Patrick · November 2, 2023, 5:55pm

github.com/Kicksecure/security-misc

Harden the loading of new modules to the kernel after install

Kicksecure:master ← monsieuremre:module-loading-hardening

opened 11:02AM - 02 Nov 23 UTC

monsieuremre

+20 -0

Normally it is recommended to have ```kernel.modules_disabled``` set to ```1```.… This is the case for all hardened systems, where they pre-define all the modules to be loaded if any. This prevents the loading of new modules to the kernel. Having this set as a sysctl configuration breaks the system, because it also denies ```systemd-modules-load.service``` the ability to load the modules that are legitemately needed. I found a workaround. I created a systemd service. It triggers on start up but only after ```systemd-modules-load.service``` has already done its thing. Then it disables the loading of new modules to the kernel by setting the aforementioned kernel variable. The system is fully functional. The only scenario where this would be somewhat inconvenient is maybe if and only if the following exact things happen: * a user starts up the system * some peripheral he uses needs drivers that is in the kernel * the drivers are kind of niche so they don't get loaded by default * and this device is not plugged in when the system is booting * so the drivers for that peripheral don't load * and the user decides to use this peripheral afterwards and plugs it * and the drivers cannot load, because we disabled it But if everything is plugged in on system startup, nothing can break even in such an edge scenario, I think. There are some stuff I am not sure of. First of all, it works as is perfectly. I put the service under ```lib/systemd/system/harden-module-loading.service``` and the executable that sets the kernel variable in ```usr/libexec/security-misc/disable-kernel-module-loading```. If another path is more desirable for the executable, we can change that. I also enable the service after install by adding the line ```systemctl enable disable-module-loading.service``` into the file ```debian/security-misc.postinst```. I am not sure if this would be right method of enabling the service. If it needs to be taken care of somewhere else, this can also be fixed.

Patrick · November 3, 2023, 4:20pm

Therefore re-enabled only allowing loading signed modules:

Patrick · November 3, 2023, 6:48pm

Allow only loading signed modules has to be reverted yet again.

Yes, kernel modules are signed by DKMS nowadays with the DKMS key. But that is only “half” of the solution. On

A) EFI systems, one would use moktuil to import the key.
B) non-EFI systems (such as Whonix for VirtualBox) there is no way to enroll these keys into the kernel.

Hence, the kernel does not know that key and refuses it. In result, kloak fails to load.

There are no other places to enroll the key. Reference:

See:

Table 3.3. Sources for system keyrings

Kernel recompilation would be possible to that’s quite an involved process:

https://wiki.archlinux.org/title/Signed_kernel_modules

Patrick · November 3, 2023, 7:12pm

Can /var/lib/dkms/mok.pub be enrolled using keyctl?

keyctl:

sudo apt install keyutils

Patrick · November 3, 2023, 7:35pm

Patrick · November 5, 2023, 5:27pm

Patrick · November 6, 2023, 2:11am

Debian Linux kernel bug report:
key enrollment on non-EFI systems for module.sig_enforce=1 kernel parameter

Patrick · November 6, 2023, 2:12am

github.com/Kicksecure/security-misc

harden modules load broken

opened 11:06PM - 05 Nov 23 UTC

adrelanos

Using "normal" (default settings) kernel. Not VM kernel. sudo journalctl …-u harden-module-loading.service ``` Nov 05 22:44:57 host systemd[1]: Starting harden-module-loading.service - Disable the loading of modules to the kernel after startup. Nov 05 22:44:57 host disable-kernel-module-loading[4406]: kernel.modules_disabled = 1 Nov 05 22:44:57 host disable-kernel-module-loading[4404]: The loading of new modules to the kernel has been disabled by security-misc Nov 05 22:44:57 host systemd[1]: harden-module-loading.service: Deactivated successfully. Nov 05 22:44:57 host systemd[1]: Finished harden-module-loading.service - Disable the loading of modules to the kernel after startup. ``` Ok, so it says it's done. But this contradicts it: cat /proc/sys/kernel/modules_disabled > 0 sysctl kernel.modules_disabled > kernel.modules_disabled = 0 But maybe sysctl only looks at configs, not at actual kernel values.

Patrick · November 12, 2023, 4:17am