enforce kernel module software signature verification [module signing] / disallow kernel module loading by default

Patrick · November 2, 2023, 5:53pm

Automatic signing of DKMS kernel modules has been implemented by Debian by default in Debian bookworm.

sudo modinfo /lib/modules/6.1.0-13-amd64/updates/dkms/tirdad.ko | grep sign

signer: DKMS module signing key

Patrick · November 2, 2023, 5:55pm

github.com/Kicksecure/security-misc

Harden the loading of new modules to the kernel after install

Kicksecure:master ← monsieuremre:module-loading-hardening

opened 11:02AM - 02 Nov 23 UTC

monsieuremre

+20 -0

Normally it is recommended to have ```kernel.modules_disabled``` set to ```1```.… This is the case for all hardened systems, where they pre-define all the modules to be loaded if any. This prevents the loading of new modules to the kernel. Having this set as a sysctl configuration breaks the system, because it also denies ```systemd-modules-load.service``` the ability to load the modules that are legitemately needed. I found a workaround. I created a systemd service. It triggers on start up but only after ```systemd-modules-load.service``` has already done its thing. Then it disables the loading of new modules to the kernel by setting the aforementioned kernel variable. The system is fully functional. The only scenario where this would be somewhat inconvenient is maybe if and only if the following exact things happen: * a user starts up the system * some peripheral he uses needs drivers that is in the kernel * the drivers are kind of niche so they don't get loaded by default * and this device is not plugged in when the system is booting * so the drivers for that peripheral don't load * and the user decides to use this peripheral afterwards and plugs it * and the drivers cannot load, because we disabled it But if everything is plugged in on system startup, nothing can break even in such an edge scenario, I think. There are some stuff I am not sure of. First of all, it works as is perfectly. I put the service under ```lib/systemd/system/harden-module-loading.service``` and the executable that sets the kernel variable in ```usr/libexec/security-misc/disable-kernel-module-loading```. If another path is more desirable for the executable, we can change that. I also enable the service after install by adding the line ```systemctl enable disable-module-loading.service``` into the file ```debian/security-misc.postinst```. I am not sure if this would be right method of enabling the service. If it needs to be taken care of somewhere else, this can also be fixed.

Patrick · November 3, 2023, 4:20pm

Therefore re-enabled only allowing loading signed modules:

Patrick · November 3, 2023, 6:48pm

Allow only loading signed modules has to be reverted yet again.

Yes, kernel modules are signed by DKMS nowadays with the DKMS key. But that is only “half” of the solution. On

A) EFI systems, one would use moktuil to import the key.
B) non-EFI systems (such as Whonix for VirtualBox) there is no way to enroll these keys into the kernel.

Hence, the kernel does not know that key and refuses it. In result, kloak fails to load.

There are no other places to enroll the key. Reference:

See:

Table 3.3. Sources for system keyrings

Kernel recompilation would be possible to that’s quite an involved process:

https://wiki.archlinux.org/title/Signed_kernel_modules

Patrick · November 3, 2023, 7:12pm

Can /var/lib/dkms/mok.pub be enrolled using keyctl?

keyctl:

sudo apt install keyutils

Patrick · November 3, 2023, 7:35pm

Patrick · November 5, 2023, 5:27pm

Patrick · November 6, 2023, 2:11am

Debian Linux kernel bug report:
key enrollment on non-EFI systems for module.sig_enforce=1 kernel parameter

Patrick · November 6, 2023, 2:12am

github.com/Kicksecure/security-misc

harden modules load broken

opened 11:06PM - 05 Nov 23 UTC

adrelanos

Using "normal" (default settings) kernel. Not VM kernel. sudo journalctl …-u harden-module-loading.service ``` Nov 05 22:44:57 host systemd[1]: Starting harden-module-loading.service - Disable the loading of modules to the kernel after startup. Nov 05 22:44:57 host disable-kernel-module-loading[4406]: kernel.modules_disabled = 1 Nov 05 22:44:57 host disable-kernel-module-loading[4404]: The loading of new modules to the kernel has been disabled by security-misc Nov 05 22:44:57 host systemd[1]: harden-module-loading.service: Deactivated successfully. Nov 05 22:44:57 host systemd[1]: Finished harden-module-loading.service - Disable the loading of modules to the kernel after startup. ``` Ok, so it says it's done. But this contradicts it: cat /proc/sys/kernel/modules_disabled > 0 sysctl kernel.modules_disabled > kernel.modules_disabled = 0 But maybe sysctl only looks at configs, not at actual kernel values.

Patrick · November 12, 2023, 4:17am