Re: Should we automatically generate a module signing key at all?

[Linus Torvalds]

On Tue, May 19, 2015 at 10:43 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>
> If it weren't a giant PITA, I would consider enabling module signing,
> but I don't see much point on my system since I don't have secure boot
> and I think it's misguided that kernel mode code should be considered
> more important to protect than fully privileged user-space code.

What PITA?

Do this:

  CONFIG_MODULE_SIG=y
  CONFIG_MODULE_SIG_FORCE=y
  CONFIG_MODULE_SIG_ALL=y

and you're done. You don't need to do anythign else. There's no PITA.
It just works. I do this in my /etc/kernel-config, so *all* the
kernels I build and boot hjave this, and I never even have think about
it, much less have to do anything special.  I don't even bother
removing the key consciously, because I end up doing "git clean -dqfx
; make allmodconfig ; make -j16" so many times a day during the merge
window anyway that it doesn't last.

Enabling those three config options makes the build generate the key
for you, and assuming you just remove the key after the build/install
(incidentally like I do, or consciously like you *should* do it), it
makes your kernel as secure as if you were to just build everything
into the kernel.

Is it going to fix any *other* security issues? No. But it does mean
that if you somehow have a security issue, the attacker is going to
have a *much* harder time to install a rootkit kernel module that
actively hides the attack from you.

And that is not some theoretical concern. There's been multiple cases of that.

                    Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/