gentle ping Il giorno gio 14 set 2023 alle ore 13:28 Alessandro Carminati (Red Hat) <alessandro.carminati@xxxxxxxxx> ha scritto: > > This patch sets up a new feature to the Linux kernel to have the ability, > while module signature checking is enabled, to delay the moment where > these signatures are effectively checked. The feature is structure into > two main key points, the feature can be enabled by a new command line > kernel argument, while in delay mode, the kernel waits until the > userspace communicates to start checking signature modules. > This operation can be done by writing a value in a securityfs file, > which works the same as /sys/kernel/security/lockdown. > > Patch 1/2: Modules: Introduce boot-time module signature flexibility > The first patch in this set fundamentally alters the kernel's behavior > at boot time by implementing a delayed module signature verification > mechanism. It introduces a new boot-time kernel argument that allows > users to request this delay. By doing so, we aim to capitalize on the > cryptographic checks already performed on the kernel and initrd images > during the secure boot process. As a result, we can significantly > improve the boot speed without compromising system security. > > Patch 2/2: docs: Update kernel-parameters.txt for signature verification > enhancement > The second patch is just to update the kernel parameters list > documentation. > > Background and Motivation > In certain contexts, boot speed becomes crucial. This patch follows the > recognition that security checks can at times be redundant. Therefore, > it proves valuable to skip those checks that have already been validated. > > In a typical Secure Boot startup with an initrd, the bootloader is > responsible for verifying artifacts before relinquishing control. In a > verified initrd image, it is reasonable to assume that its content is > also secure. Consequently, verifying module signatures may be deemed > unnecessary. > This patch introduces a feature to skip signature verification during > the initrd boot phase. > > Alessandro Carminati (Red Hat) (2): > Modules: Introduce boot-time module signature flexibility > docs: Update kernel-parameters.txt for signature verification > enhancement > > .../admin-guide/kernel-parameters.txt | 9 +++ > include/linux/module.h | 4 ++ > kernel/module/main.c | 14 +++-- > kernel/module/signing.c | 56 +++++++++++++++++++ > 4 files changed, 77 insertions(+), 6 deletions(-) > > -- > 2.34.1 >
