[RFC,0/2] Enhancing Boot Speed and Security with Delayed Module Signature Verification

Message ID 20230914112739.112729-1-alessandro.carminati@gmail.com
Headers
Series Enhancing Boot Speed and Security with Delayed Module Signature Verification |

Message

Alessandro Carminati (Red Hat) Sept. 14, 2023, 11:27 a.m. UTC
  This patch sets up a new feature to the Linux kernel to have the ability,
while module signature checking is enabled, to delay the moment where
these signatures are effectively checked. The feature is structure into
two main key points, the feature can be enabled by a new command line
kernel argument, while in delay mode, the kernel waits until the
userspace communicates to start checking signature modules.
This operation can be done by writing a value in a securityfs file,
which works the same as /sys/kernel/security/lockdown.

Patch 1/2: Modules: Introduce boot-time module signature flexibility
The first patch in this set fundamentally alters the kernel's behavior
at boot time by implementing a delayed module signature verification
mechanism. It introduces a new boot-time kernel argument that allows
users to request this delay. By doing so, we aim to capitalize on the
cryptographic checks already performed on the kernel and initrd images
during the secure boot process. As a result, we can significantly
improve the boot speed without compromising system security.

Patch 2/2: docs: Update kernel-parameters.txt for signature verification
enhancement
The second patch is just to update the kernel parameters list
documentation.

Background and Motivation
In certain contexts, boot speed becomes crucial. This patch follows the
recognition that security checks can at times be redundant. Therefore,
it proves valuable to skip those checks that have already been validated.

In a typical Secure Boot startup with an initrd, the bootloader is
responsible for verifying artifacts before relinquishing control. In a
verified initrd image, it is reasonable to assume that its content is
also secure. Consequently, verifying module signatures may be deemed
unnecessary.
This patch introduces a feature to skip signature verification during
the initrd boot phase.

Alessandro Carminati (Red Hat) (2):
  Modules: Introduce boot-time module signature flexibility
  docs: Update kernel-parameters.txt for signature verification
    enhancement

 .../admin-guide/kernel-parameters.txt         |  9 +++
 include/linux/module.h                        |  4 ++
 kernel/module/main.c                          | 14 +++--
 kernel/module/signing.c                       | 56 +++++++++++++++++++
 4 files changed, 77 insertions(+), 6 deletions(-)
  

Comments

Randy Dunlap Sept. 15, 2023, 3:59 p.m. UTC | #1
On 9/14/23 04:27, Alessandro Carminati (Red Hat) wrote:
> Update kernel-parameters.txt to reflect new deferred signature
> verification.
> Enhances boot speed by allowing unsigned modules in initrd after
> bootloader check.
> 
> Signed-off-by: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com>
> ---
>  Documentation/admin-guide/kernel-parameters.txt | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 0c38a8af95ce..beec86f0dd05 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -3410,6 +3410,15 @@
>  			Note that if CONFIG_MODULE_SIG_FORCE is set, that
>  			is always true, so this option does nothing.
>  
> +	module_sig_check_wait=
> +			This parameter enables delayed activation of module
> +			signature checks, deferring the process until userspace
> +			triggers it. Once activated, this setting becomes
> +			permanent and cannot be reversed. This feature proves
> +			valuable for incorporating unsigned modules within
> +			initrd, especially after bootloader verification.
> +			By employing this option, boot times can be quicker.
> +

Please keep the entries here in alphabetical order.
This new entry should be after module_blacklist, not before it.
Thanks.

>  	module_blacklist=  [KNL] Do not load a comma-separated list of
>  			modules.  Useful for debugging problem modules.
>
  
Prarit Bhargava Nov. 8, 2023, 3:32 p.m. UTC | #2
On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote:
> This patch sets up a new feature to the Linux kernel to have the ability,
> while module signature checking is enabled, to delay the moment where
> these signatures are effectively checked. The feature is structure into
> two main key points, the feature can be enabled by a new command line
> kernel argument, while in delay mode, the kernel waits until the
> userspace communicates to start checking signature modules.
> This operation can be done by writing a value in a securityfs file,
> which works the same as /sys/kernel/security/lockdown.
> 
> Patch 1/2: Modules: Introduce boot-time module signature flexibility
> The first patch in this set fundamentally alters the kernel's behavior
> at boot time by implementing a delayed module signature verification
> mechanism. It introduces a new boot-time kernel argument that allows
> users to request this delay. By doing so, we aim to capitalize on the
> cryptographic checks already performed on the kernel and initrd images
> during the secure boot process. As a result, we can significantly
> improve the boot speed without compromising system security.
> 
> Patch 2/2: docs: Update kernel-parameters.txt for signature verification
> enhancement
> The second patch is just to update the kernel parameters list
> documentation.
> 
> Background and Motivation
> In certain contexts, boot speed becomes crucial. This patch follows the
> recognition that security checks can at times be redundant. Therefore,
> it proves valuable to skip those checks that have already been validated.
> 
> In a typical Secure Boot startup with an initrd, the bootloader is
> responsible for verifying artifacts before relinquishing control. In a
> verified initrd image, it is reasonable to assume that its content is
> also secure. Consequently, verifying module signatures may be deemed
> unnecessary.
> This patch introduces a feature to skip signature verification during
> the initrd boot phase.
> 

I think this is fine to do.  There is some risk for users who may use 
this without realizing what they're actually doing and then would end up 
creating a security hole.  But there are far worse ways you can do that 
with access to kernel paramaters.

P.

> Alessandro Carminati (Red Hat) (2):
>    Modules: Introduce boot-time module signature flexibility
>    docs: Update kernel-parameters.txt for signature verification
>      enhancement
> 
>   .../admin-guide/kernel-parameters.txt         |  9 +++
>   include/linux/module.h                        |  4 ++
>   kernel/module/main.c                          | 14 +++--
>   kernel/module/signing.c                       | 56 +++++++++++++++++++
>   4 files changed, 77 insertions(+), 6 deletions(-)
>
  
Alessandro Carminati (Red Hat) Nov. 9, 2023, 10:51 a.m. UTC | #3
gentle ping


Il giorno gio 14 set 2023 alle ore 13:28 Alessandro Carminati (Red
Hat) <alessandro.carminati@gmail.com> ha scritto:
>
> This patch sets up a new feature to the Linux kernel to have the ability,
> while module signature checking is enabled, to delay the moment where
> these signatures are effectively checked. The feature is structure into
> two main key points, the feature can be enabled by a new command line
> kernel argument, while in delay mode, the kernel waits until the
> userspace communicates to start checking signature modules.
> This operation can be done by writing a value in a securityfs file,
> which works the same as /sys/kernel/security/lockdown.
>
> Patch 1/2: Modules: Introduce boot-time module signature flexibility
> The first patch in this set fundamentally alters the kernel's behavior
> at boot time by implementing a delayed module signature verification
> mechanism. It introduces a new boot-time kernel argument that allows
> users to request this delay. By doing so, we aim to capitalize on the
> cryptographic checks already performed on the kernel and initrd images
> during the secure boot process. As a result, we can significantly
> improve the boot speed without compromising system security.
>
> Patch 2/2: docs: Update kernel-parameters.txt for signature verification
> enhancement
> The second patch is just to update the kernel parameters list
> documentation.
>
> Background and Motivation
> In certain contexts, boot speed becomes crucial. This patch follows the
> recognition that security checks can at times be redundant. Therefore,
> it proves valuable to skip those checks that have already been validated.
>
> In a typical Secure Boot startup with an initrd, the bootloader is
> responsible for verifying artifacts before relinquishing control. In a
> verified initrd image, it is reasonable to assume that its content is
> also secure. Consequently, verifying module signatures may be deemed
> unnecessary.
> This patch introduces a feature to skip signature verification during
> the initrd boot phase.
>
> Alessandro Carminati (Red Hat) (2):
>   Modules: Introduce boot-time module signature flexibility
>   docs: Update kernel-parameters.txt for signature verification
>     enhancement
>
>  .../admin-guide/kernel-parameters.txt         |  9 +++
>  include/linux/module.h                        |  4 ++
>  kernel/module/main.c                          | 14 +++--
>  kernel/module/signing.c                       | 56 +++++++++++++++++++
>  4 files changed, 77 insertions(+), 6 deletions(-)
>
> --
> 2.34.1
>