Signed Kernel Modules
Signed kernel modules have been a feature of other operating systems for a number of years. Some people and companies like the idea of installing only modules (or drivers, as they are sometimes called) that are known to be blessed by some authority in their operating systems. Given the changes in how Linux loads kernel modules, signed kernel modules easily can be added to the Linux kernel. This article discusses how I have implemented this feature and details how to use it.
In a signed kernel module, someone has inserted a digital signature into the module stating they trust this specific module. I am not going to try to persuade anyone that Linux should have this ability, that it should be required or even that it provides increased security. I describe only how to do it and provide the method for its implementation, if anyone wants to use it.
Public key cryptography is used to make signed kernel modules work. For an overview of the RSA public key cryptographic algorithm—what it is and how it works—see the Linux Journal Web article at www.linuxjournal.com/article/6826. This article assumes readers are familiar with the basics of public-key cryptography and that they are able to patch, build and load a new Linux kernel onto their machines. For instructions on how to build and load a new kernel, see the very helpful Linux Kernel HOWTO located at www.tldp.org.
In the 2.5 kernel development series, Rusty Russell rewrote the way Linux kernel modules work. In previous kernels, the majority of the module loading logic was stored in user space. With Rusty's changes, all of that logic moved into the kernel, reducing the amount of architecture-independent logic and simplifying the user interface greatly. One nice side benefit of this is the kernel now has access to the entire module file in raw form. The kernel module simply is a file in ELF format. ELF stands for executable and linking format and is the format used for executable programs. The ELF specification can be found in text form at www.muppetlabs.com/~breadbox/software/ELF.txt.
ELF files are comprised of different sections. These sections can be seen by running the readelf program. For example:
$ readelf -S visor.ko There are 23 section headers, starting at offset 0x3954: Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .text PROGBITS 00000000 000040 0017e0 00 AX 0 0 16 [ 2] .rel.text REL 00000000 003cec 000cd0 08 21 1 4 [ 3] .init.text PROGBITS 00000000 001820 000210 00 AX 0 0 16 [ 4] .rel.init.text REL 00000000 0049bc 0001c8 08 21 3 4 [ 5] .exit.text PROGBITS 00000000 001a30 000030 00 AX 0 0 16 [ 6] .rel.exit.text REL 00000000 004b84 000030 08 21 5 4 [ 7] .rodata PROGBITS 00000000 001a60 000020 00 A 0 0 16 [ 8] .rel.rodata REL 00000000 004bb4 000028 08 21 7 4 [ 9] .rodata.str1.1 PROGBITS 00000000 001a80 000449 01 AMS 0 0 1  .rodata.str1.32 PROGBITS 00000000 001ee0 0009c0 01 AMS 0 0 32  .modinfo PROGBITS 00000000 0028a0 0006c0 00 A 0 0 32  .data PROGBITS 00000000 002f60 000600 00 WA 0 0 32  .rel.data REL 00000000 004bdc 0001e0 08 21 c 4  .gnu.linkonce.thi PROGBITS 00000000 003560 000120 00 WA 0 0 32  .rel.gnu.linkonce REL 00000000 004dbc 000010 08 21 e 4  __obsparm PROGBITS 00000000 003680 000180 00 WA 0 0 32  .bss NOBITS 00000000 003800 00000c 00 WA 0 0 4  .comment PROGBITS 00000000 003800 00006e 00 0 0 1  .note NOTE 00000000 00386e 000028 00 0 0 1  .shstrtab STRTAB 00000000 003896 0000bd 00 0 0 1  .symtab SYMTAB 00000000 004dcc 000760 10 22 58 4  .strtab STRTAB 00000000 00552c 000580 00 0 0 1
Because ELF files are made up of sections, it is easy to add a new section to the module file and have the kernel read it into memory when it tries to load the module. If we put an RSA-signed section into the module, the kernel can decrypt the signature and compare it to the signature of the file it just loaded. If it matches, the signature is valid and the module is inserted successfully into the kernel's memory. If the signature does not match, either something has been tampered with in the module or the module was not signed with a proper key. The module then can be rejected—that is what my patch does.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Profiles and RC Files
- Astronomy for KDE
- Understanding Ceph and Its Place in the Market
- Maru OS Brings Debian to Your Phone
- Snappy Moves to New Platforms
- Git 2.9 Released
- OpenSwitch Finds a New Home
- What's Our Next Fight?
- The Giant Zero, Part 0.x
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide