On Fri, 2012-09-07 at 09:45 +0930, Rusty Russell wrote: > Kees Cook <keesc...@chromium.org> writes: > > Instead of (or in addition to) kernel module signing, being able to reason > > about the origin of a kernel module would be valuable in situations > > where an OS already trusts a specific file system, file, etc, due to > > things like security labels or an existing root of trust to a partition > > through things like dm-verity. > > > > This introduces a new syscall (currently only on x86), similar to > > init_module, that has only two arguments. The first argument is used as > > a file descriptor to the module and the second argument is a pointer to > > the NULL terminated string of module arguments. > > Thanks. Minor comments follow:
Rusty, sorry for bringing this up again, but with Kees' new syscall, which passes in the file descriptor, appraising the integrity of kernel modules could be like appraising the integrity of any other file on the filesystem. All that would be needed is a new security hook, which is needed in anycase for IMA measurement. The concerns with this approach, expressed in the past by David Howells, are that it requires IMA-appraisal to be enabled, extended attribute support, and changes to userspace tools. Normally I wouldn't be too concerned about filesystems that don't support extended attributes, but the initramfs is currently cpio. Perhaps this isn't an issue in anycase, as the initramfs would be appraised in the secure boot environment. The first two concerns could be addressed by passing in a digital signature, which the new syscall supports. The signature could be stored as an extended attribute, appended to the kernel module or, as originally described by Dmitry, in a .sig file. Where/how the signature is stored would be left up to the distro's and userspace tool's discretion. When EVM/IMA-appraisal is enabled, it would either appraise the kernel module based on the xattr, if available, or the supplied signature. Otherwise, without EVM/IMA-appraisal enabled, the stub hook would appraise the kernel module based on the supplied signature, calling integrity_digsig_verify() directly. This method is a consistent and extensible approach to verifying the integrity of file data/metadata, including kernel modules. The only downside to this approach, I think, is that it requires changes to the userspace tool. thanks, Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
