[RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

Mimi Zohar Mon, 26 Nov 2012 06:26:41 -0800

From: Dmitry Kasatkin <dmitry.kasat...@intel.com>

Signed modules are only as secure as the private key used to sign
them.  This patch limits access to the private key by limiting the
private key's existence to 'modules_install'(ie. this is meant for
local developers, not distros.)


This patch defines a new kernel build command line parameter
called MODSIG (eg. make MODSIG=1 modules_install) and adds
support for ephemeral keys.

MODSIG=1 creates an ephemeral key pair during 'modules_install',
forcing the rebuilding of the bzImage containing the new ephemeral
builtin public key, signs the kernel modules with the private key,
and then destroys the private key, limiting the existance of the
private key to the 'modules_install' execution time.  (The private
key's existence could be further limited, if the key generation
wasn't tied to a specific file, but defined as a separate target.)

Another possible MODSIG option would be to password protect the
private key.  Although this option is not as safe as removing the
private key, it would not require rebuilding the bzImage, as the
key pair is generated during 'make'.

Changelog v1:
- rebased on the upsteamed kernel module support

Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@intel.com>
Signed-off-by: Mimi Zohar <zo...@us.ibm.com>
---
 Makefile |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/Makefile b/Makefile
index 9f6ca12..d0dd777 100644
--- a/Makefile
+++ b/Makefile
@@ -718,10 +718,17 @@ mod_strip_cmd = true
 endif # INSTALL_MOD_STRIP
 export mod_strip_cmd
 
+export KBUILD_MODSIG := 0
 
 ifeq ($(CONFIG_MODULE_SIG),y)
 MODSECKEY = ./signing_key.priv
 MODPUBKEY = ./signing_key.x509
+
+# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
+ifeq ("$(origin MODSIG)", "command line")
+KBUILD_MODSIG := $(MODSIG)
+endif
+
 export MODPUBKEY
 mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
 else
@@ -957,8 +964,27 @@ modules_prepare: prepare scripts
 
 # Target to install modules
 PHONY += modules_install
+
+# Create an ephemeral keypair before module install
+ifeq ($(KBUILD_MODSIG),1)
+modules_install: _newmodpubkey_
+endif
+
 modules_install: _modinst_ _modinst_post
 
+ifeq ($(KBUILD_MODSIG),1)
+modules_install:  _rmprivkey_
+endif
+
+PHONY += _newmodpubkey_
+_newmodpubkey_: 
+       @rm -f $(MODSECKEY) $(MODPUBKEY)
+       $(Q)$(MAKE) -W kernel/modsign_pubkey.o
+
+PHONY += _rmprivkey_ 
+_rmprivkey_: 
+       @rm -f $(MODSECKEY)
+
 PHONY += _modinst_
 _modinst_:
        @rm -rf $(MODLIB)/kernel
-- 
1.7.7.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

Reply via email to