On 25/07/15 03:58 PM, Damjan Georgievski wrote: > Since some time ago, the Linux kernel has had support for > cryptographically signed > modules, i.e. the kernel can be configured to only load properly signed modules. > > https://www.kernel.org/doc/Documentation/module-signing.txt > > > I wouldn't go to lengths explaining the benefits of it, I was just > wondering if Arch has the > infrastructure to sign the modules - since developers already sign the > kernel package itself [*], > and in that sense we (the users) already trust them to that level. > > I'm not suggesting that CONFIG_MODULE_SIG_FORCE is enabled by default > - that would break 3rd party modules, but people could optionally use > the "enforcemodulesig=1" kernel command line option if they want to. > > > Thoughts? > > > [*] > though packages are gpg signed, and modules use x.509 Signed modules don't really offer any added security with a vanilla kernel because root still has full control over the kernel via other known mechanisms (i.e. no exploits necessary). The feature is mostly useful for enforcing a *policy* of not allowing third party modules, similar to the kernel taint bits which can be overwritten if you really feel like doing it. It might be worth enabling it for linux-grsec. Many cases can already be handled by setting modules_disabled=1 once the needed modules are loaded. It's not a very compelling feature though because it's only truly useful in combination with a fully read-only root and grsecurity's romount_protect feature. A strong MAC policy could also plug the other attack routes... but it's also going to prevent loading modules for that role anyway.
Attachment:
signature.asc
Description: OpenPGP digital signature
