enforce kernel module software signature verification [module signing] / disallow kernel module loading by default

madaidan · September 10, 2019, 7:34pm

An alternative way would be to create a systemd service that runs after systemd-modules-load.service and sets kernel.modules_disabled=1.

This should make sure that all modules are loaded before we set that setting. I haven’t tested this though and it might lead to another error like with systemd-sysctl.

I don’t think that’s a good idea, systemd-sysctl is one of the first services to start. Starting a bunch of units before that would likely be way too early.

The official documentation is here Kernel Support for miscellaneous Binary Formats (binfmt_misc) — The Linux Kernel documentation

Not sure what it’s used for.

Patrick · September 11, 2019, 7:42am

madaidan via Whonix Forum:

Patrick:

However, I don’t think the current approach using /usr/lib/modules-load.d folder is a good implementation.

An alternative way would be to create a systemd service that runs after systemd-modules-load.service and sets kernel.modules_disabled=1.

… and after systemd-sysctl.service (since that can be used to
influence kernel module loading).

This should make sure that all modules are loaded before we set that setting.> I haven’t tested this though and it might lead to another error like
with systemd-sysctl.

Does not work for sure. kloak as is now would still fail to load since
trying to autoload the uinput kernel module. We’d still need to use
/usr/lib/modules-load.d.

Need to find out if there is a better way than requiring all upstreams
to define their modules in /usr/lib/modules-load.d.

Patrick:

It would be better to load those systemd units that require kernel modules early enough before systemd-sysctl.service .

I don’t think that’s a good idea, systemd-sysctl is one of the first services to start. Starting a bunch of units before that would likely be way too early.

Good point. Might be inappropriate for some services indeed. Need to ask
various upstream, not sure to whom this is up. Looks like unchartered
territory. Very few search results on search engines.

madaidan · September 11, 2019, 4:51pm

Probably systemd since it handles the module loading and sysctl.

Patrick · September 12, 2019, 11:05am

What happened to ModAutoRestrict LSM?

https://lwn.net/Articles/719385/

Patrick · September 12, 2019, 11:19am

github.com/systemd/systemd

RFE: add module-load-only-if-modules_disabled.d

opened 11:19AM - 12 Sep 19 UTC

closed 08:57AM - 10 Oct 19 UTC

adrelanos

RFE 🎁 needs-discussion 🤔

We've been [contemplating](https://forums.whonix.org/t/allow-loading-signed-kern…el-modules-by-default-disallow-kernel-module-loading-by-default/7880) to make use of linux kernel sysctl `kernel.modules_disabled=1` for better [kernel hardening](https://github.com/Whonix/security-misc) by dropping a configuration snippet `/etc/sysctl.d/module-loading.conf` kernel.modules_disabled=1 `systemd-sysctl.service` would properly apply it. This would break various applications that require kernel auto module loading. For example `kloak` would no longer start. (Upstream bug report: https://github.com/vmonaco/kloak/issues/16) Other applications break too such as for example VirtualBox guest additions and either X or XFCE. Dropping a configuration snippet into `/usr/lib/modules-load.d` that makes `systemd-modules-load.service` load the required module would work. But is this the correct approach? I am asking, since if `/usr/lib/modules-load.d` was the right approach, then various upstream projects that are currently incompatible with `kernel.modules_disabled=1` could be contacted. However, on Debian I don't see any packages dropping any configuration snippets into folder `/usr/lib/modules-load.d`. So I am wondering if this is the right approach. What I am asking is: how should various upstream applications declare what kernel modules they require to be load?

madaidan · September 12, 2019, 5:08pm

It probably got scrapped in favour of kernel.modules_disabled=1.

I have no idea why people try to make features like these LSMs. It’s just unneeded complexity for a simple option.

Patrick · September 15, 2019, 12:54pm

Debian -- Details of package lockdown in buster already invented disabling module after boot.

It could be improved to fine tune when module lockdown happens. At the moment execution time isn’t fixed.

Contacted lockdown and hardening-runtime.

Package: hardening-runtime
Severity: wishlist
X-Debbugs-CC: whonix-devel@whonix.org

We now have (at least) three very similar packages.

Debian -- Details of package lockdown in buster

Debian -- Details of package hardening-runtime in buster

GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

Let’s join forces before we independently reinvent everything.

Cheers,
Patrick

The idea is to have more eyes on this. And more benefit to more users. Therefore also beneficial due to wider testing.

madaidan · September 27, 2019, 6:39pm

It turns out, this won’t only be useful for the root user. Unprivileged users can still indirectly load kernel modules through auto-loading.

E.g. an attacker tries to use X protocol, the needed kernel module is auto-loaded even though the attacker is unprivileged and then the attacker exploits a vulnerability in X module.

Setting kernel.modules_disabled=1 will prevent the module from being loaded regardless.

Blacklisting the modules in modprobe.d would also prevent auto-loading of that specific module as it makes run /bin/false instead of auto-loading it.

There is a currently unaccepted patch that restricts auto-loading of kernel modules to root only called the Timgad LSM though.

madaidan · September 28, 2019, 3:07pm

This is a much better and more recent version of the patch.

https://lkml.org/lkml/2017/11/27/754

Patrick · October 8, 2019, 2:15pm

Got answer:

RFE: add module-load-only-if-modules_disabled.d · Issue #13540 · systemd/systemd · GitHub

Why would you turn off on-demand loading? Where is the difference of loading something ondemand vs explicitly when it comes to security? If you dont trust a module dont ship/install it. If you trust it it shouldnt mayter if you load it at boot or when actually used. What am I missing?

madaidan · October 10, 2019, 4:36pm

The issue was closed.

RFE: add module-load-only-if-modules_disabled.d · Issue #13540 · systemd/systemd · GitHub

I don’t think this is for upstream systemd to manage. It may be possible to declare a static list of modules to load, but it is only possible in very specific circumstances, when you know exactly which hardware, which network devices, which network protocols, which encryption types, etc, etc, any given application will use. But even on a medium-sized distro this would be completely infeasible.

madaidan · October 26, 2019, 6:42pm

https://lists.archlinux.org/pipermail/arch-general/2015-July/039589.html

Signed modules don’t really offer any added security with a vanilla
kernel because root still has full control over the kernel via other
known mechanisms (i.e. no exploits necessary). The feature is mostly useful for enforcing a policy of not allowing third party modules, similar to the kernel taint bits which can be overwritten if you really feel like doing it.

It’s not a very compelling feature though because it’s only truly useful in combination with a fully read-only root and grsecurity’s romount_protect feature.

A strong MAC policy could also plug the other attack routes… but it’s also going to prevent loading modules for that role anyway.

Patrick · December 6, 2019, 8:03am

New versions of DKMS have a SIGN_TOOL= feature. Please have a look, see if that looks alright, and give feedback to the DKMS developers:

module signing for kernel_lockdown · Issue #72 · dell/dkms · GitHub
implement a simple module signing mechanism by xuzhen · Pull Request #87 · dell/dkms · GitHub

SIGN_TOOL=

The module signing tool to be run at a build. Two arguments will be passed to the signing tool. The first argument is the target kernel version, the second is the module file path. If the tool exits with a non-zero value, the build will be aborted.

Patrick · January 19, 2020, 12:56pm

github.com/dell/dkms

add /etc/dkms/framework.conf.d configuration file drop-in folder

opened 12:55PM - 19 Jan 20 UTC

closed 07:32PM - 22 May 22 UTC

adrelanos

Could you please add support for parsing `/etc/dkms/framework.conf.d` configurat…ion file drop-in folder? Similar to `/etc/dkms/framework.conf`. Use cases: * useful for derivative linux distribution * to work around some kernel bug ([possibly this](https://bugzilla.kernel.org/show_bug.cgi?id=196729)) I would like to set `parallel_jobs=1` per VM to work around a [bug](https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26?u=patrick) * to be able to add module signing to modules in a generic way for modules which can't do that themselves yet

Patrick · January 21, 2020, 6:27am

github.com/Kicksecure/hardened-kernel

Sign all kernel modules

Kicksecure:master ← madaidan:module_sig

opened 05:33PM - 20 Jan 20 UTC

madaidan

+12 -12

This signs all kernel modules built from the kernel source tree with SHA-512. Th…is does not yet enforce signature verification (`CONFIG_MODULE_SIG_FORCE`) but is a step closer. We now just need to sign the virtualbox guest additions, lkrg and tirdad modules with the `scripts/sign-file` tool and the `certs/signing_key.pem` private key during installation of those modules.

Where is the signing key stored? Where are the signature keys stored?

OR: What is the full command line to sign a kernel module?

Once I know that, should be possible to create an APT DPkg::Post-Invoke setting (similar to this) which signs these kernel modules.

madaidan · January 21, 2020, 4:56pm

/path/to/kernel_source/certs/signing_key.pem

https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html#manually-signing-modules

So, for us, should be

${kernel_source}/scripts/sign-file sha512 ${kernel_source}/certs/signing_key.pem ${kernel_source}/certs/signing_key.x509 module.ko

Patrick · November 18, 2020, 7:48am

Reconsidering.

Better to sign all kernel modules (this would be helpful for purpose of LKRG, tirdad and hardware comparability, namely compatibility with SecureBoot) than no progress in this ticket at all and no signing at all. A drop-in configuration .d folder where kernel modules are white listed opted in could be contributed later.

Please describe the threat model. Folders where kernel modules are stored (and would be auto-signed) are writeable by (super)admin only anyhow. If an adversary gains write access there, it’s game over anyhow. Therefore I don’t see what is gained by white listing which kernel modules should be signed.

Patrick · April 29, 2021, 2:52pm

DKMS getting module signing support.

github.com

dell/dkms/blob/master/dkms_framework.conf#L30


      
          # copying the modules. This preserves some space on the costs of being less
          # safe. Symlinking will be active if set to a non-null value:
          # symlink_modules=""
          
          # Automatic installation and upgrade for all installed kernels if set to a
          # non-null value:
          # autoinstall_all_kernels=""
          
          # Location of the sign-file kernel binary. $kernelver can be used in path to
          # represent the target kernel version. (default: depends on distribution):
          # sign_file="/path/to/sign-file"
          
          # Location of the key and certificate files used for Secure boot. $kernelver
          # can be used in path to represent the target kernel version.
          #
          # NOTE: If any of the files specified by `mok_signing_key` and
          # `mok_certificate` are non-existant, dkms will re-create both files.
          #
          # mok_signing_key can also be a "pkcs11:..." string for PKCS#11 engine, as
          # long as the sign_file program supports it.
          # (default: /var/lib/dkms):

https://github.com/dell/dkms/blob/master/sign_helper.sh

Dunno when this lands in Debian. Hopefully in Debian bullseye.

If so, since…

github.com/dell/dkms

add /etc/dkms/framework.conf.d configuration file drop-in folder

opened 12:55PM - 19 Jan 20 UTC

closed 07:32PM - 22 May 22 UTC

adrelanos

Could you please add support for parsing `/etc/dkms/framework.conf.d` configurat…ion file drop-in folder? Similar to `/etc/dkms/framework.conf`. Use cases: * useful for derivative linux distribution * to work around some kernel bug ([possibly this](https://bugzilla.kernel.org/show_bug.cgi?id=196729)) I would like to set `parallel_jobs=1` per VM to work around a [bug](https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26?u=patrick) * to be able to add module signing to modules in a generic way for modules which can't do that themselves yet

…isn’t implemented, package security-misc could config-package-dev displace

/etc/dkms/framework.conf

Patrick · April 29, 2021, 3:19pm

github.com/Kicksecure/security-misc

modify DKMS configuration file `/etc/dkms/framework.conf`

committed 03:14PM - 29 Apr 21 UTC

adrelanos

+32 -0

Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of …virtual machines. `parallel_jobs=1` This does not necessarily belong into security-misc, however likely security-misc will need to modify `/etc/dkms/framework.conf` in the future to enable kernel module signing. https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58

Patrick · August 29, 2021, 3:46pm

feature request: Debian package - kernel module signing for kernel_lockdown · Issue #113 · lkrg-org/lkrg · GitHub

Quote:

Some time ago I wrote an article on this subject. it’s in Polish, but all the necessary commands are in place and you will figure out how to make that setup work.