You are not logged in.

#1 2014-02-22 06:59:54

rdahlgren
Member
From: Middle States, USA
Registered: 2014-02-17
Posts: 36
Website

Module Signing

Given that we already rely heavily on signed components through pacman, has there been any talk of supporting signed kernel modules in the Arch kernel?

I was looking through the Documentation directory in the kernel tree and found the `module-signing.txt` file. This file describes support in the kernel for validating module signatures prior to loading them - thereby decreasing the likelihood that malware could insert itself as a kernel module (a popular tactic for low-tech rootkits).

If there's support behind this, I'd gladly lend a hand enabling it. This would make us one of the few distros to support signed modules out of the box!

Ron

Offline

#2 2014-02-22 10:05:30

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: Module Signing

If you want a response from Arch developers, post this in the bugtracker as a feature request.

Offline

#3 2014-02-22 10:13:04

progandy
Member
Registered: 2012-05-17
Posts: 5,319

Re: Module Signing

If you want signed modules, you have three options: all binary modules have to be signed by trusted arch developers (you cannot have trusted self-compiled modules), you can have a pubic signature key and therefore it is effectively useless or you have to compile the kernel and all modules yourself.
Since the first two options are quite time-consuming or useless arch does not implement them I guess.


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |

Offline

#4 2014-02-23 06:12:06

rdahlgren
Member
From: Middle States, USA
Registered: 2014-02-17
Posts: 36
Website

Re: Module Signing

I was thinking more of a scheme where the kernel and modules that come from the official repositories are signed with an inherently trusted "Arch key". Then the iso image and precompiled binaries that are used would be signed by this key.

I hadn't thought about closed-source, binary only modules though. I suppose the user would need to trust whatever distributor provides them. Maybe the process will be less painful in the future, but I see your point progandy.

Offline

Board footer

Powered by FluxBB