From 106a4ee258d14818467829bf0e12aeae14c16cd7 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Wed, 26 Sep 2012 10:09:40 +0100 Subject: module: signature checking hook We do a very simple search for a particular string appended to the module (which is cache-hot and about to be SHA'd anyway). There's both a config option and a boot parameter which control whether we accept or fail with unsigned modules and modules that are signed with an unknown key. If module signing is enabled, the kernel will be tainted if a module is loaded that is unsigned or has a signature for which we don't have the key. (Useful feedback and tweaks by David Howells ) Signed-off-by: Rusty Russell Signed-off-by: David Howells Signed-off-by: Rusty Russell --- kernel/module-internal.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 kernel/module-internal.h (limited to 'kernel/module-internal.h') diff --git a/kernel/module-internal.h b/kernel/module-internal.h new file mode 100644 index 00000000000..033c17fd70e --- /dev/null +++ b/kernel/module-internal.h @@ -0,0 +1,13 @@ +/* Module internals + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +extern int mod_verify_sig(const void *mod, unsigned long modlen, + const void *sig, unsigned long siglen); -- cgit v1.2.3-18-g5258 From 631cc66eb9eaa7296e303197ff1eb0f55e32b61d Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 26 Sep 2012 10:09:51 +0100 Subject: MODSIGN: Provide module signing public keys to the kernel Include a PGP keyring containing the public keys required to perform module verification in the kernel image during build and create a special keyring during boot which is then populated with keys of crypto type holding the public keys found in the PGP keyring. These can be seen by root: [root@andromeda ~]# cat /proc/keys 07ad4ee0 I----- 1 perm 3f010000 0 0 crypto modsign.0: RSA 87b9b3bd [] 15c7f8c3 I----- 1 perm 1f030000 0 0 keyring .module_sign: 1/4 ... It is probably worth permitting root to invalidate these keys, resulting in their removal and preventing further modules from being loaded with that key. Signed-off-by: David Howells Signed-off-by: Rusty Russell --- kernel/module-internal.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'kernel/module-internal.h') diff --git a/kernel/module-internal.h b/kernel/module-internal.h index 033c17fd70e..6114a13419b 100644 --- a/kernel/module-internal.h +++ b/kernel/module-internal.h @@ -9,5 +9,7 @@ * 2 of the Licence, or (at your option) any later version. */ +extern struct key *modsign_keyring; + extern int mod_verify_sig(const void *mod, unsigned long modlen, const void *sig, unsigned long siglen); -- cgit v1.2.3-18-g5258 From caabe240574aec05b2f5667414ce80f9075c2ba1 Mon Sep 17 00:00:00 2001 From: David Howells Date: Sat, 20 Oct 2012 01:19:29 +0100 Subject: MODSIGN: Move the magic string to the end of a module and eliminate the search Emit the magic string that indicates a module has a signature after the signature data instead of before it. This allows module_sig_check() to be made simpler and faster by the elimination of the search for the magic string. Instead we just need to do a single memcmp(). This works because at the end of the signature data there is the fixed-length signature information block. This block then falls immediately prior to the magic number. From the contents of the information block, it is trivial to calculate the size of the signature data and thus the size of the actual module data. Signed-off-by: David Howells Signed-off-by: Linus Torvalds --- kernel/module-internal.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'kernel/module-internal.h') diff --git a/kernel/module-internal.h b/kernel/module-internal.h index 6114a13419b..24f9247b7d0 100644 --- a/kernel/module-internal.h +++ b/kernel/module-internal.h @@ -11,5 +11,4 @@ extern struct key *modsign_keyring; -extern int mod_verify_sig(const void *mod, unsigned long modlen, - const void *sig, unsigned long siglen); +extern int mod_verify_sig(const void *mod, unsigned long *_modlen); -- cgit v1.2.3-18-g5258