From 160e01aca3daa7c09da86748b08914cdfaca539f Mon Sep 17 00:00:00 2001 From: James Solner Date: Wed, 4 Dec 2013 14:08:58 +1030 Subject: [PATCH 1/6] Add Documentation/module-signing.txt file This patch adds the Documentation/module-signing.txt file that is currently missing from the Documentation directory. The init/Kconfig file references the Documentation/module-signing.txt file to explain how kernel module signing works. This patch supplies this documentation. The initial version of this patch provided old documentation that was a mixture of the old RHEL style GPG signing. Version 1: Updated the documentation to described the current implementation using x509 certificate signing. Version 2: fixes grammar/spelling mistakes and removes trailing whitespaces. Version 3, fixes grammar/spelling mistakes. Version 4: Include updates from David Howells and fixes for spelling mistakes. Signed-off-by: James Solner Signed-off-by: David Howells Signed-off-by: Rusty Russell --- Documentation/module-signing.txt | 240 +++++++++++++++++++++++++++++++ 1 file changed, 240 insertions(+) create mode 100644 Documentation/module-signing.txt diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt new file mode 100644 index 000000000000..c34815d8c69b --- /dev/null +++ b/Documentation/module-signing.txt @@ -0,0 +1,240 @@ + ============================== + KERNEL MODULE SIGNING FACILITY + ============================== + +CONTENTS + + - Overview. + - Configuring module signing. + - Generating signing keys. + - Public keys in the kernel. + - Manually signing modules. + - Signed modules and stripping. + - Loading signed modules. + - Non-valid signatures and unsigned modules. + - Administering/protecting the private key. + + +======== +OVERVIEW +======== + +The kernel module signing facility cryptographically signs modules during +installation and then checks the signature upon loading the module. This +allows increased kernel security by disallowing the loading of unsigned modules +or modules signed with an invalid key. Module signing increases security by +making it harder to load a malicious module into the kernel. The module +signature checking is done by the kernel so that it is not necessary to have +trusted userspace bits. + +This facility uses X.509 ITU-T standard certificates to encode the public keys +involved. The signatures are not themselves encoded in any industrial standard +type. The facility currently only supports the RSA public key encryption +standard (though it is pluggable and permits others to be used). The possible +hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, and +SHA-512 (the algorithm is selected by data in the signature). + + +========================== +CONFIGURING MODULE SIGNING +========================== + +The module signing facility is enabled by going to the "Enable Loadable Module +Support" section of the kernel configuration and turning on + + CONFIG_MODULE_SIG "Module signature verification" + +This has a number of options available: + + (1) "Require modules to be validly signed" (CONFIG_MODULE_SIG_FORCE) + + This specifies how the kernel should deal with a module that has a + signature for which the key is not known or a module that is unsigned. + + If this is off (ie. "permissive"), then modules for which the key is not + available and modules that are unsigned are permitted, but the kernel will + be marked as being tainted. + + If this is on (ie. "restrictive"), only modules that have a valid + signature that can be verified by a public key in the kernel's possession + will be loaded. All other modules will generate an error. + + Irrespective of the setting here, if the module has a signature block that + cannot be parsed, it will be rejected out of hand. + + + (2) "Automatically sign all modules" (CONFIG_MODULE_SIG_ALL) + + If this is on then modules will be automatically signed during the + modules_install phase of a build. If this is off, then the modules must + be signed manually using: + + scripts/sign-file + + + (3) "Which hash algorithm should modules be signed with?" + + This presents a choice of which hash algorithm the installation phase will + sign the modules with: + + CONFIG_SIG_SHA1 "Sign modules with SHA-1" + CONFIG_SIG_SHA224 "Sign modules with SHA-224" + CONFIG_SIG_SHA256 "Sign modules with SHA-256" + CONFIG_SIG_SHA384 "Sign modules with SHA-384" + CONFIG_SIG_SHA512 "Sign modules with SHA-512" + + The algorithm selected here will also be built into the kernel (rather + than being a module) so that modules signed with that algorithm can have + their signatures checked without causing a dependency loop. + + +======================= +GENERATING SIGNING KEYS +======================= + +Cryptographic keypairs are required to generate and check signatures. A +private key is used to generate a signature and the corresponding public key is +used to check it. The private key is only needed during the build, after which +it can be deleted or stored securely. The public key gets built into the +kernel so that it can be used to check the signatures as the modules are +loaded. + +Under normal conditions, the kernel build will automatically generate a new +keypair using openssl if one does not exist in the files: + + signing_key.priv + signing_key.x509 + +during the building of vmlinux (the public part of the key needs to be built +into vmlinux) using parameters in the: + + x509.genkey + +file (which is also generated if it does not already exist). + +It is strongly recommended that you provide your own x509.genkey file. + +Most notably, in the x509.genkey file, the req_distinguished_name section +should be altered from the default: + + [ req_distinguished_name ] + O = Magrathea + CN = Glacier signing key + emailAddress = slartibartfast@magrathea.h2g2 + +The generated RSA key size can also be set with: + + [ req ] + default_bits = 4096 + + +It is also possible to manually generate the key private/public files using the +x509.genkey key generation configuration file in the root node of the Linux +kernel sources tree and the openssl command. The following is an example to +generate the public/private key files: + + openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \ + -config x509.genkey -outform DER -out signing_key.x509 \ + -keyout signing_key.priv + + +========================= +PUBLIC KEYS IN THE KERNEL +========================= + +The kernel contains a ring of public keys that can be viewed by root. They're +in a keyring called ".system_keyring" that can be seen by: + + [root@deneb ~]# cat /proc/keys + ... + 223c7853 I------ 1 perm 1f030000 0 0 keyring .system_keyring: 1 + 302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora kernel signing key: d69a84e6bce3d216b979e9505b3e3ef9a7118079: X509.RSA a7118079 [] + ... + +Beyond the public key generated specifically for module signing, any file +placed in the kernel source root directory or the kernel build root directory +whose name is suffixed with ".x509" will be assumed to be an X.509 public key +and will be added to the keyring. + +Further, the architecture code may take public keys from a hardware store and +add those in also (e.g. from the UEFI key database). + +Finally, it is possible to add additional public keys by doing: + + keyctl padd asymmetric "" [.system_keyring-ID] <[key-file] + +e.g.: + + keyctl padd asymmetric "" 0x223c7853 Date: Wed, 4 Dec 2013 14:09:38 +1030 Subject: [PATCH 2/6] params: improve standard definitions We are repeating the functionality of kstrtol in param_set_long, and the same for kstrtoint. We can get rid of the extra code by using the right functions. Signed-off-by: Felipe Contreras Signed-off-by: Rusty Russell --- kernel/params.c | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/kernel/params.c b/kernel/params.c index c00d5b502aa4..b00142e7f3ba 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -227,17 +227,10 @@ int parse_args(const char *doing, } /* Lazy bastard, eh? */ -#define STANDARD_PARAM_DEF(name, type, format, tmptype, strtolfn) \ +#define STANDARD_PARAM_DEF(name, type, format, strtolfn) \ int param_set_##name(const char *val, const struct kernel_param *kp) \ { \ - tmptype l; \ - int ret; \ - \ - ret = strtolfn(val, 0, &l); \ - if (ret < 0 || ((type)l != l)) \ - return ret < 0 ? ret : -EINVAL; \ - *((type *)kp->arg) = l; \ - return 0; \ + return strtolfn(val, 0, (type *)kp->arg); \ } \ int param_get_##name(char *buffer, const struct kernel_param *kp) \ { \ @@ -253,13 +246,13 @@ int parse_args(const char *doing, EXPORT_SYMBOL(param_ops_##name) -STANDARD_PARAM_DEF(byte, unsigned char, "%hhu", unsigned long, kstrtoul); -STANDARD_PARAM_DEF(short, short, "%hi", long, kstrtol); -STANDARD_PARAM_DEF(ushort, unsigned short, "%hu", unsigned long, kstrtoul); -STANDARD_PARAM_DEF(int, int, "%i", long, kstrtol); -STANDARD_PARAM_DEF(uint, unsigned int, "%u", unsigned long, kstrtoul); -STANDARD_PARAM_DEF(long, long, "%li", long, kstrtol); -STANDARD_PARAM_DEF(ulong, unsigned long, "%lu", unsigned long, kstrtoul); +STANDARD_PARAM_DEF(byte, unsigned char, "%hhu", kstrtou8); +STANDARD_PARAM_DEF(short, short, "%hi", kstrtos16); +STANDARD_PARAM_DEF(ushort, unsigned short, "%hu", kstrtou16); +STANDARD_PARAM_DEF(int, int, "%i", kstrtoint); +STANDARD_PARAM_DEF(uint, unsigned int, "%u", kstrtouint); +STANDARD_PARAM_DEF(long, long, "%li", kstrtol); +STANDARD_PARAM_DEF(ulong, unsigned long, "%lu", kstrtoul); int param_set_charp(const char *val, const struct kernel_param *kp) { From 74e22fac8858f83af9b589f1dcb004ccf4991003 Mon Sep 17 00:00:00 2001 From: Joe Perches Date: Wed, 4 Dec 2013 14:09:38 +1030 Subject: [PATCH 3/6] module.h: Remove unnecessary semicolon [All 8 callers already have semicolons. -- RR] Signed-off-by: Joe Perches Signed-off-by: Rusty Russell --- include/linux/module.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/module.h b/include/linux/module.h index 15cd6b1b211e..46e548fd502a 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -451,7 +451,7 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, extern void __module_put_and_exit(struct module *mod, long code) __attribute__((noreturn)); -#define module_put_and_exit(code) __module_put_and_exit(THIS_MODULE, code); +#define module_put_and_exit(code) __module_put_and_exit(THIS_MODULE, code) #ifdef CONFIG_MODULE_UNLOAD unsigned long module_refcount(struct module *mod); From 7b4ec8dd7d4ac467e9eee4d49f2c9574d773efbb Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 16 Jan 2014 10:18:48 +1030 Subject: [PATCH 4/6] export: declare ksymtab symbols sparse complains about any __ksymtab symbols with the following: warning: symbol '__ksymtab_...' was not declared. Should it be static? due to Andi's patch making it non-static. Mollify sparse by declaring the symbol extern, otherwise we get drowned in sparse warnings for anything that uses EXPORT_SYMBOL in the sources, making it easy to miss real warnings. Fixes: e0f244c63fc9 ("asmlinkage, module: Make ksymtab [...] __visible") Signed-off-by: Johannes Berg Acked-by: Andi Kleen Signed-off-by: Rusty Russell --- include/linux/export.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/export.h b/include/linux/export.h index 3f2793d51899..96e45ea463e7 100644 --- a/include/linux/export.h +++ b/include/linux/export.h @@ -59,6 +59,7 @@ extern struct module __this_module; static const char __kstrtab_##sym[] \ __attribute__((section("__ksymtab_strings"), aligned(1))) \ = VMLINUX_SYMBOL_STR(sym); \ + extern const struct kernel_symbol __ksymtab_##sym; \ __visible const struct kernel_symbol __ksymtab_##sym \ __used \ __attribute__((section("___ksymtab" sec "+" #sym), unused)) \ From e865d06b1798746b85340777332b0e6f50e95ab7 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Thu, 16 Jan 2014 10:18:49 +1030 Subject: [PATCH 5/6] module: fix coding style Fix coding style of module.h Signed-off-by: Seunghun Lee Signed-off-by: Rusty Russell --- include/linux/module.h | 60 +++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/include/linux/module.h b/include/linux/module.h index 46e548fd502a..eaf60ff9ba94 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -29,8 +29,7 @@ #define MODULE_NAME_LEN MAX_PARAM_PREFIX_LEN -struct modversion_info -{ +struct modversion_info { unsigned long crc; char name[MODULE_NAME_LEN]; }; @@ -84,12 +83,12 @@ void sort_main_extable(void); void trim_init_extable(struct module *m); #ifdef MODULE -#define MODULE_GENERIC_TABLE(gtype,name) \ +#define MODULE_GENERIC_TABLE(gtype, name) \ extern const struct gtype##_id __mod_##gtype##_table \ __attribute__ ((unused, alias(__stringify(name)))) #else /* !MODULE */ -#define MODULE_GENERIC_TABLE(gtype,name) +#define MODULE_GENERIC_TABLE(gtype, name) #endif /* Generic info of form tag = "info" */ @@ -126,7 +125,7 @@ extern const struct gtype##_id __mod_##gtype##_table \ * is a GPL combined work. * * This exists for several reasons - * 1. So modinfo can show license info for users wanting to vet their setup + * 1. So modinfo can show license info for users wanting to vet their setup * is free * 2. So the community can ignore bug reports including proprietary modules * 3. So vendors can do likewise based on their own policies @@ -138,27 +137,29 @@ extern const struct gtype##_id __mod_##gtype##_table \ * authors use multiple MODULE_AUTHOR() statements/lines. */ #define MODULE_AUTHOR(_author) MODULE_INFO(author, _author) - + /* What your module does. */ #define MODULE_DESCRIPTION(_description) MODULE_INFO(description, _description) -#define MODULE_DEVICE_TABLE(type,name) \ - MODULE_GENERIC_TABLE(type##_device,name) +#define MODULE_DEVICE_TABLE(type, name) \ + MODULE_GENERIC_TABLE(type##_device, name) /* Version of form [:][-]. - Or for CVS/RCS ID version, everything but the number is stripped. - : A (small) unsigned integer which allows you to start versions - anew. If not mentioned, it's zero. eg. "2:1.0" is after - "1:2.0". - : The may contain only alphanumerics and the - character `.'. Ordered by numeric sort for numeric parts, - ascii sort for ascii parts (as per RPM or DEB algorithm). - : Like , but inserted for local - customizations, eg "rh3" or "rusty1". + * Or for CVS/RCS ID version, everything but the number is stripped. + * : A (small) unsigned integer which allows you to start versions + * anew. If not mentioned, it's zero. eg. "2:1.0" is after + * "1:2.0". - Using this automatically adds a checksum of the .c files and the - local headers in "srcversion". -*/ + * : The may contain only alphanumerics and the + * character `.'. Ordered by numeric sort for numeric parts, + * ascii sort for ascii parts (as per RPM or DEB algorithm). + + * : Like , but inserted for local + * customizations, eg "rh3" or "rusty1". + + * Using this automatically adds a checksum of the .c files and the + * local headers in "srcversion". + */ #if defined(MODULE) || !defined(CONFIG_SYSFS) #define MODULE_VERSION(_version) MODULE_INFO(version, _version) @@ -226,8 +227,7 @@ struct module_ref { unsigned long decs; } __attribute((aligned(2 * sizeof(unsigned long)))); -struct module -{ +struct module { enum module_state state; /* Member of list of modules */ @@ -480,8 +480,8 @@ static inline void module_put(struct module *module) static inline void __module_get(struct module *module) { } -#define symbol_put(x) do { } while(0) -#define symbol_put_addr(p) do { } while(0) +#define symbol_put(x) do { } while (0) +#define symbol_put_addr(p) do { } while (0) #endif /* CONFIG_MODULE_UNLOAD */ int ref_module(struct module *a, struct module *b); @@ -507,8 +507,8 @@ int lookup_module_symbol_attrs(unsigned long addr, unsigned long *size, unsigned /* For extable.c to search modules' exception tables. */ const struct exception_table_entry *search_module_extables(unsigned long addr); -int register_module_notifier(struct notifier_block * nb); -int unregister_module_notifier(struct notifier_block * nb); +int register_module_notifier(struct notifier_block *nb); +int unregister_module_notifier(struct notifier_block *nb); extern void print_modules(void); @@ -548,8 +548,8 @@ static inline bool is_module_text_address(unsigned long addr) /* Get/put a kernel symbol (calls should be symmetric) */ #define symbol_get(x) ({ extern typeof(x) x __attribute__((weak)); &(x); }) -#define symbol_put(x) do { } while(0) -#define symbol_put_addr(x) do { } while(0) +#define symbol_put(x) do { } while (0) +#define symbol_put_addr(x) do { } while (0) static inline void __module_get(struct module *module) { @@ -606,13 +606,13 @@ static inline int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, return 0; } -static inline int register_module_notifier(struct notifier_block * nb) +static inline int register_module_notifier(struct notifier_block *nb) { /* no events will happen anyway, so this can always succeed */ return 0; } -static inline int unregister_module_notifier(struct notifier_block * nb) +static inline int unregister_module_notifier(struct notifier_block *nb) { return 0; } From 22e669568d5195af10bd2f404f9c1809541ad77b Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Tue, 21 Jan 2014 09:58:00 +1030 Subject: [PATCH 6/6] module: Add missing newline in printk call. Add missing \n and also follow commit bddb12b3 "kernel/module.c: use pr_foo()". Signed-off-by: Tetsuo Handa Signed-off-by: Rusty Russell --- kernel/module.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index f5a3b1e8ec51..d24fcf29cb64 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -815,10 +815,8 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user, return -EFAULT; name[MODULE_NAME_LEN-1] = '\0'; - if (!(flags & O_NONBLOCK)) { - printk(KERN_WARNING - "waiting module removal not supported: please upgrade"); - } + if (!(flags & O_NONBLOCK)) + pr_warn("waiting module removal not supported: please upgrade\n"); if (mutex_lock_interruptible(&module_mutex) != 0) return -EINTR;