On Fri, 22 Mar 2019 14:46:20 +0000 Peter Humphrey wrote: > Hello list, > > Years ago, in the days of Yggdrasil I think, the received wisdom was that > enabling kernel module loading was a bad idea because an attacker might be > able to load malicious software directly into the kernel. No modules --> one > more attack route closed. > > What is the current thinking on this topic? I'm not trolling; I'd like to > know > which way to go with a new box.
These days one can configure kernel to load only signed modules (with public key compiled into kernel) and refuse to load all unsigned modules [CONFIG_MODULE_SIG_FORCE]. During normal kernel build process all legitimate modules will be signed [CONFIG_MODULE_SIG_ALL]. All out-of-tree modules may be signed manually as well [scripts/sign-file]. Afterwards signing key [certs/signing_key.pem] may be removed from the system (e.g. encrypted or deleted). The benefit of this approach compared to kernel without modules is: 1) out of the tree kernel modules can be used (e.g. I use openafs) 2) kernel can be made smaller and faster by removing rarely needed functionality into modules (e.g. support for various USB devices, network protocols or filters and other subsystems which are not used on daily basis, but may be needed occasionally). Best regards, Andrew Savchenko
pgpf7bCg7yH0S.pgp
Description: PGP signature