Signed Kernel Modules
Signed kernel modules have been a feature of other operating systems for a number of years. Some people and companies like the idea of installing only modules (or drivers, as they are sometimes called) that are known to be blessed by some authority in their operating systems. Given the changes in how Linux loads kernel modules, signed kernel modules easily can be added to the Linux kernel. This article discusses how I have implemented this feature and details how to use it.
In a signed kernel module, someone has inserted a digital signature into the module stating they trust this specific module. I am not going to try to persuade anyone that Linux should have this ability, that it should be required or even that it provides increased security. I describe only how to do it and provide the method for its implementation, if anyone wants to use it.
Public key cryptography is used to make signed kernel modules work. For an overview of the RSA public key cryptographic algorithm—what it is and how it works—see the Linux Journal Web article at www.linuxjournal.com/article/6826. This article assumes readers are familiar with the basics of public-key cryptography and that they are able to patch, build and load a new Linux kernel onto their machines. For instructions on how to build and load a new kernel, see the very helpful Linux Kernel HOWTO located at www.tldp.org.
In the 2.5 kernel development series, Rusty Russell rewrote the way Linux kernel modules work. In previous kernels, the majority of the module loading logic was stored in user space. With Rusty's changes, all of that logic moved into the kernel, reducing the amount of architecture-independent logic and simplifying the user interface greatly. One nice side benefit of this is the kernel now has access to the entire module file in raw form. The kernel module simply is a file in ELF format. ELF stands for executable and linking format and is the format used for executable programs. The ELF specification can be found in text form at www.muppetlabs.com/~breadbox/software/ELF.txt.
ELF files are comprised of different sections. These sections can be seen by running the readelf program. For example:
$ readelf -S visor.ko There are 23 section headers, starting at offset 0x3954: Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .text PROGBITS 00000000 000040 0017e0 00 AX 0 0 16 [ 2] .rel.text REL 00000000 003cec 000cd0 08 21 1 4 [ 3] .init.text PROGBITS 00000000 001820 000210 00 AX 0 0 16 [ 4] .rel.init.text REL 00000000 0049bc 0001c8 08 21 3 4 [ 5] .exit.text PROGBITS 00000000 001a30 000030 00 AX 0 0 16 [ 6] .rel.exit.text REL 00000000 004b84 000030 08 21 5 4 [ 7] .rodata PROGBITS 00000000 001a60 000020 00 A 0 0 16 [ 8] .rel.rodata REL 00000000 004bb4 000028 08 21 7 4 [ 9] .rodata.str1.1 PROGBITS 00000000 001a80 000449 01 AMS 0 0 1  .rodata.str1.32 PROGBITS 00000000 001ee0 0009c0 01 AMS 0 0 32  .modinfo PROGBITS 00000000 0028a0 0006c0 00 A 0 0 32  .data PROGBITS 00000000 002f60 000600 00 WA 0 0 32  .rel.data REL 00000000 004bdc 0001e0 08 21 c 4  .gnu.linkonce.thi PROGBITS 00000000 003560 000120 00 WA 0 0 32  .rel.gnu.linkonce REL 00000000 004dbc 000010 08 21 e 4  __obsparm PROGBITS 00000000 003680 000180 00 WA 0 0 32  .bss NOBITS 00000000 003800 00000c 00 WA 0 0 4  .comment PROGBITS 00000000 003800 00006e 00 0 0 1  .note NOTE 00000000 00386e 000028 00 0 0 1  .shstrtab STRTAB 00000000 003896 0000bd 00 0 0 1  .symtab SYMTAB 00000000 004dcc 000760 10 22 58 4  .strtab STRTAB 00000000 00552c 000580 00 0 0 1
Because ELF files are made up of sections, it is easy to add a new section to the module file and have the kernel read it into memory when it tries to load the module. If we put an RSA-signed section into the module, the kernel can decrypt the signature and compare it to the signature of the file it just loaded. If it matches, the signature is valid and the module is inserted successfully into the kernel's memory. If the signature does not match, either something has been tampered with in the module or the module was not signed with a proper key. The module then can be rejected—that is what my patch does.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- The Qt Company's Qt Start-Up
- Devuan Beta Release
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The US Government and Open-Source Software
- Open-Source Project Secretly Funded by CIA
- The Humble Hacker?
- The Death of RoboVM
- New Container Image Standard Promises More Portable Apps
- BitTorrent Inc.'s Sync
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide