Signed Kernel Modules
Signed kernel modules have been a feature of other operating systems for a number of years. Some people and companies like the idea of installing only modules (or drivers, as they are sometimes called) that are known to be blessed by some authority in their operating systems. Given the changes in how Linux loads kernel modules, signed kernel modules easily can be added to the Linux kernel. This article discusses how I have implemented this feature and details how to use it.
In a signed kernel module, someone has inserted a digital signature into the module stating they trust this specific module. I am not going to try to persuade anyone that Linux should have this ability, that it should be required or even that it provides increased security. I describe only how to do it and provide the method for its implementation, if anyone wants to use it.
Public key cryptography is used to make signed kernel modules work. For an overview of the RSA public key cryptographic algorithm—what it is and how it works—see the Linux Journal Web article at www.linuxjournal.com/article/6826. This article assumes readers are familiar with the basics of public-key cryptography and that they are able to patch, build and load a new Linux kernel onto their machines. For instructions on how to build and load a new kernel, see the very helpful Linux Kernel HOWTO located at www.tldp.org.
In the 2.5 kernel development series, Rusty Russell rewrote the way Linux kernel modules work. In previous kernels, the majority of the module loading logic was stored in user space. With Rusty's changes, all of that logic moved into the kernel, reducing the amount of architecture-independent logic and simplifying the user interface greatly. One nice side benefit of this is the kernel now has access to the entire module file in raw form. The kernel module simply is a file in ELF format. ELF stands for executable and linking format and is the format used for executable programs. The ELF specification can be found in text form at www.muppetlabs.com/~breadbox/software/ELF.txt.
ELF files are comprised of different sections. These sections can be seen by running the readelf program. For example:
$ readelf -S visor.ko There are 23 section headers, starting at offset 0x3954: Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .text PROGBITS 00000000 000040 0017e0 00 AX 0 0 16 [ 2] .rel.text REL 00000000 003cec 000cd0 08 21 1 4 [ 3] .init.text PROGBITS 00000000 001820 000210 00 AX 0 0 16 [ 4] .rel.init.text REL 00000000 0049bc 0001c8 08 21 3 4 [ 5] .exit.text PROGBITS 00000000 001a30 000030 00 AX 0 0 16 [ 6] .rel.exit.text REL 00000000 004b84 000030 08 21 5 4 [ 7] .rodata PROGBITS 00000000 001a60 000020 00 A 0 0 16 [ 8] .rel.rodata REL 00000000 004bb4 000028 08 21 7 4 [ 9] .rodata.str1.1 PROGBITS 00000000 001a80 000449 01 AMS 0 0 1  .rodata.str1.32 PROGBITS 00000000 001ee0 0009c0 01 AMS 0 0 32  .modinfo PROGBITS 00000000 0028a0 0006c0 00 A 0 0 32  .data PROGBITS 00000000 002f60 000600 00 WA 0 0 32  .rel.data REL 00000000 004bdc 0001e0 08 21 c 4  .gnu.linkonce.thi PROGBITS 00000000 003560 000120 00 WA 0 0 32  .rel.gnu.linkonce REL 00000000 004dbc 000010 08 21 e 4  __obsparm PROGBITS 00000000 003680 000180 00 WA 0 0 32  .bss NOBITS 00000000 003800 00000c 00 WA 0 0 4  .comment PROGBITS 00000000 003800 00006e 00 0 0 1  .note NOTE 00000000 00386e 000028 00 0 0 1  .shstrtab STRTAB 00000000 003896 0000bd 00 0 0 1  .symtab SYMTAB 00000000 004dcc 000760 10 22 58 4  .strtab STRTAB 00000000 00552c 000580 00 0 0 1
Because ELF files are made up of sections, it is easy to add a new section to the module file and have the kernel read it into memory when it tries to load the module. If we put an RSA-signed section into the module, the kernel can decrypt the signature and compare it to the signature of the file it just loaded. If it matches, the signature is valid and the module is inserted successfully into the kernel's memory. If the signature does not match, either something has been tampered with in the module or the module was not signed with a proper key. The module then can be rejected—that is what my patch does.
- Hacking a Safe with Bash
- Django Models and Migrations
- Secure Server Deployments in Hostile Territory, Part II
- The Controversy Behind Canonical's Intellectual Property Policy
- Huge Package Overhaul for Debian and Ubuntu
- Home Automation with Raspberry Pi
- Shashlik - a Tasty New Android Simulator
- Embed Linux in Monitoring and Control Systems
- KDE Reveals Plasma Mobile
- diff -u: What's New in Kernel Development