Re: [PATCH 1/2] module: add syscall to load module from fd

From: Mimi Zohar
Date: Fri Sep 07 2012 - 13:14:32 EST


On Fri, 2012-09-07 at 09:45 +0930, Rusty Russell wrote:
> Kees Cook <keescook@xxxxxxxxxxxx> writes:
> > Instead of (or in addition to) kernel module signing, being able to reason
> > about the origin of a kernel module would be valuable in situations
> > where an OS already trusts a specific file system, file, etc, due to
> > things like security labels or an existing root of trust to a partition
> > through things like dm-verity.
> >
> > This introduces a new syscall (currently only on x86), similar to
> > init_module, that has only two arguments. The first argument is used as
> > a file descriptor to the module and the second argument is a pointer to
> > the NULL terminated string of module arguments.
>
> Thanks. Minor comments follow:

Rusty, sorry for bringing this up again, but with Kees' new syscall,
which passes in the file descriptor, appraising the integrity of kernel
modules could be like appraising the integrity of any other file on the
filesystem. All that would be needed is a new security hook, which is
needed in anycase for IMA measurement.

The concerns with this approach, expressed in the past by David Howells,
are that it requires IMA-appraisal to be enabled, extended attribute
support, and changes to userspace tools. Normally I wouldn't be too
concerned about filesystems that don't support extended attributes, but
the initramfs is currently cpio. Perhaps this isn't an issue in
anycase, as the initramfs would be appraised in the secure boot
environment.

The first two concerns could be addressed by passing in a digital
signature, which the new syscall supports. The signature could be stored
as an extended attribute, appended to the kernel module or, as
originally described by Dmitry, in a .sig file. Where/how the signature
is stored would be left up to the distro's and userspace tool's
discretion.

When EVM/IMA-appraisal is enabled, it would either appraise the kernel
module based on the xattr, if available, or the supplied signature.
Otherwise, without EVM/IMA-appraisal enabled, the stub hook would
appraise the kernel module based on the supplied signature, calling
integrity_digsig_verify() directly.

This method is a consistent and extensible approach to verifying the
integrity of file data/metadata, including kernel modules. The only
downside to this approach, I think, is that it requires changes to the
userspace tool.

thanks,

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/