| Message ID | 20230914112739.112729-1-alessandro.carminati@gmail.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:172:b0:3f2:4152:657d with SMTP id h50csp512852vqi;
Thu, 14 Sep 2023 10:36:16 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IF4YgKgR7S8B0Z0oxhKadevHOqVRjWAMK8DUTAZSC1ip8SByIMk3PwMXXOEW/v/IokTR+gt
X-Received: by 2002:a05:6a20:3d22:b0:14c:4dfc:9766 with SMTP id
y34-20020a056a203d2200b0014c4dfc9766mr6857001pzi.46.1694712975782;
Thu, 14 Sep 2023 10:36:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694712975; cv=none;
d=google.com; s=arc-20160816;
b=sS2oCNffqDl6bN/AE997OucSmDl3vJLoUf0+u/tdF7OxjswXuzChq6y2271hMuXPG4
Oi5Z3bekeiB8JHHYMJOXIeiNEMDckJt/YuEKgUNd3q1hza9+jzM7fzKzu22rzgc+7dfN
0wZhnPEBu0Q0aNvJ8IWxg7PnsAHWQeG1FWNfGXOVfP2nGle7IMFQTpLp39gv2YRnSCX0
faBn2zJLGy2/GXz4/xm4y3vewDeILq7wU3aJkVeKBLevFLORLCTYJCUc2lx0MWFuj3xr
hh3ylAr0hPNVz8qeGDOUvm4r2v6tGyn1WE29s/FW8t1gIW0RRL8bRHJqyypD8Kka8fYb
lWSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=xQ4JSvALWwFERJLvgTZEaGF4FKSCIvpNYYc8CXH5D3Q=;
fh=5+Fj4/C1BEhc4B3kvYcX4deFZcFigYEq5dS0FMmuoVc=;
b=FdiUsmNw2V3aPmbgdos4Reda8QXxqngbCmcMPUAyebrxx9xwjCxR7BTizD6nkOMBu1
fN6nrP1n0K5u7rCQvFxPotsNya/cMQQIhYxisdQgJdYufhTGmchInrorM8WzTRsEnkog
cGXfMWKklXDghE8pwjRZhwlNcM5dGWQSS7CANns8dO7I8KwGjcexydswNB3fKTGsyULS
G1BRjEeIjrJ6rJyV3S6sLL15QQKaCV+j1HJ92nJpQzPMYi0d7tDS2IwO5vU2rioMNrCX
l4XXofUdDWAt3Nj/zmKzkk/7MRctcOqrfJL6hIrjc/1Klm8HVqTmf/wRcxBEBA0J7Zzz
x4gg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20221208 header.b=aWHFjFUm;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from howler.vger.email (howler.vger.email. [23.128.96.34])
by mx.google.com with ESMTPS id
x63-20020a638642000000b00565617189e2si1774291pgd.839.2023.09.14.10.36.15
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 14 Sep 2023 10:36:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20221208 header.b=aWHFjFUm;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by howler.vger.email (Postfix) with ESMTP id DBBB78325D2F;
Thu, 14 Sep 2023 04:28:44 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S237808AbjINL2j (ORCPT <rfc822;chrisfriedt@gmail.com>
+ 35 others); Thu, 14 Sep 2023 07:28:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36510 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S237872AbjINL20 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 14 Sep 2023 07:28:26 -0400
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com
[IPv6:2a00:1450:4864:20::334])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58B8E2109;
Thu, 14 Sep 2023 04:28:18 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id
5b1f17b1804b1-401da71b83cso9083515e9.2;
Thu, 14 Sep 2023 04:28:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1694690896; x=1695295696;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=xQ4JSvALWwFERJLvgTZEaGF4FKSCIvpNYYc8CXH5D3Q=;
b=aWHFjFUmu7LSGmcs1LejzkoRXO/xS3DmcN8e+ZcMY2QmpE5NiegdkFudCexMadWZf2
D/qLMXeOVpuQ28d6meaAp/iu3r6dt2x7jDbTgAca6Gr4YTtvvedMz/7JWZg0ym8hBNvP
xD02SwF9eNK0F2aM01su00WUlnwoIIVFE0g/sZhk8Dr3jGXk/5MmfYPieG5Xv2HTQI5z
hFxQpcBWd0F1R8dtd3eEIUQsQVO74AgwSh0CN+fC4cTt0hxGKUAb1wRzNgD79tXJAho4
t+lkMh8zZwBh8gMH96lTE/r/cz7TjZTV2r6TNgv4jNIiTJKWbsLXwLJ5ATzRXM0DL5Ie
FFPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1694690896; x=1695295696;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=xQ4JSvALWwFERJLvgTZEaGF4FKSCIvpNYYc8CXH5D3Q=;
b=WiIPoNeTZv0uUPFYl1LFoakNXYQKf3efb7Kc7XCwcGpy4TfXqBacY0FBby1+oVj0Q9
wHcpF/qaAYKV0gghaoWfE48S5Y0aJNRu0nTqnCfYHfI0CutsSnk76WmuXRhWglp/xgtF
9E4GIoasMCG9ATlCfiRK/g6o/jvXwHU+PUq3BSCJQsFBUptZj2IStK5X8Tl32rKo501b
G4kjC/jSDSyJ4gb4VM0lwyrjrdiwJynlTOjfPy1sfsiPv8cMj9wv7D8vvyB14ePsYWQr
4LKNnbcGGwWEhbYuK8hmh4rV2KKXsn44HQTJjF9Dg6vokSCDl2eUARclm/bYzy3JuiNs
0/BA==
X-Gm-Message-State: AOJu0YzjtcXgfokzV/znam+Hah89/elzWZbiMpBVaa74QbX6weLf9Dtd
eS4S64fO6iHISisN+prk4iMw6Aes7frh9Q==
X-Received: by 2002:a1c:7912:0:b0:3fe:2b60:b24e with SMTP id
l18-20020a1c7912000000b003fe2b60b24emr4484855wme.29.1694690896217;
Thu, 14 Sep 2023 04:28:16 -0700 (PDT)
Received: from lab.hqhome163.com ([194.183.10.152])
by smtp.googlemail.com with ESMTPSA id
l36-20020a05600c1d2400b003fef5402d2dsm4786764wms.8.2023.09.14.04.28.15
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 14 Sep 2023 04:28:15 -0700 (PDT)
From: "Alessandro Carminati (Red Hat)" <alessandro.carminati@gmail.com>
To: linux-modules@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Luis Chamberlain <mcgrof@kernel.org>,
Jonathan Corbet <corbet@lwn.net>, linux-doc@vger.kernel.org,
Alessandro Carminati <alessandro.carminati@gmail.com>
Subject: [RFC PATCH 0/2] Enhancing Boot Speed and Security with Delayed Module
Signature Verification
Date: Thu, 14 Sep 2023 11:27:37 +0000
Message-Id: <20230914112739.112729-1-alessandro.carminati@gmail.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-type: text/plain
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]);
Thu, 14 Sep 2023 04:28:44 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1777035353288963436
X-GMAIL-MSGID: 1777035353288963436
|
| Series |
Enhancing Boot Speed and Security with Delayed Module Signature Verification
|
|
Message
Alessandro Carminati (Red Hat)
Sept. 14, 2023, 11:27 a.m. UTC
This patch sets up a new feature to the Linux kernel to have the ability,
while module signature checking is enabled, to delay the moment where
these signatures are effectively checked. The feature is structure into
two main key points, the feature can be enabled by a new command line
kernel argument, while in delay mode, the kernel waits until the
userspace communicates to start checking signature modules.
This operation can be done by writing a value in a securityfs file,
which works the same as /sys/kernel/security/lockdown.
Patch 1/2: Modules: Introduce boot-time module signature flexibility
The first patch in this set fundamentally alters the kernel's behavior
at boot time by implementing a delayed module signature verification
mechanism. It introduces a new boot-time kernel argument that allows
users to request this delay. By doing so, we aim to capitalize on the
cryptographic checks already performed on the kernel and initrd images
during the secure boot process. As a result, we can significantly
improve the boot speed without compromising system security.
Patch 2/2: docs: Update kernel-parameters.txt for signature verification
enhancement
The second patch is just to update the kernel parameters list
documentation.
Background and Motivation
In certain contexts, boot speed becomes crucial. This patch follows the
recognition that security checks can at times be redundant. Therefore,
it proves valuable to skip those checks that have already been validated.
In a typical Secure Boot startup with an initrd, the bootloader is
responsible for verifying artifacts before relinquishing control. In a
verified initrd image, it is reasonable to assume that its content is
also secure. Consequently, verifying module signatures may be deemed
unnecessary.
This patch introduces a feature to skip signature verification during
the initrd boot phase.
Alessandro Carminati (Red Hat) (2):
Modules: Introduce boot-time module signature flexibility
docs: Update kernel-parameters.txt for signature verification
enhancement
.../admin-guide/kernel-parameters.txt | 9 +++
include/linux/module.h | 4 ++
kernel/module/main.c | 14 +++--
kernel/module/signing.c | 56 +++++++++++++++++++
4 files changed, 77 insertions(+), 6 deletions(-)
Comments
On 9/14/23 04:27, Alessandro Carminati (Red Hat) wrote: > Update kernel-parameters.txt to reflect new deferred signature > verification. > Enhances boot speed by allowing unsigned modules in initrd after > bootloader check. > > Signed-off-by: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com> > --- > Documentation/admin-guide/kernel-parameters.txt | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 0c38a8af95ce..beec86f0dd05 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -3410,6 +3410,15 @@ > Note that if CONFIG_MODULE_SIG_FORCE is set, that > is always true, so this option does nothing. > > + module_sig_check_wait= > + This parameter enables delayed activation of module > + signature checks, deferring the process until userspace > + triggers it. Once activated, this setting becomes > + permanent and cannot be reversed. This feature proves > + valuable for incorporating unsigned modules within > + initrd, especially after bootloader verification. > + By employing this option, boot times can be quicker. > + Please keep the entries here in alphabetical order. This new entry should be after module_blacklist, not before it. Thanks. > module_blacklist= [KNL] Do not load a comma-separated list of > modules. Useful for debugging problem modules. >
On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote: > This patch sets up a new feature to the Linux kernel to have the ability, > while module signature checking is enabled, to delay the moment where > these signatures are effectively checked. The feature is structure into > two main key points, the feature can be enabled by a new command line > kernel argument, while in delay mode, the kernel waits until the > userspace communicates to start checking signature modules. > This operation can be done by writing a value in a securityfs file, > which works the same as /sys/kernel/security/lockdown. > > Patch 1/2: Modules: Introduce boot-time module signature flexibility > The first patch in this set fundamentally alters the kernel's behavior > at boot time by implementing a delayed module signature verification > mechanism. It introduces a new boot-time kernel argument that allows > users to request this delay. By doing so, we aim to capitalize on the > cryptographic checks already performed on the kernel and initrd images > during the secure boot process. As a result, we can significantly > improve the boot speed without compromising system security. > > Patch 2/2: docs: Update kernel-parameters.txt for signature verification > enhancement > The second patch is just to update the kernel parameters list > documentation. > > Background and Motivation > In certain contexts, boot speed becomes crucial. This patch follows the > recognition that security checks can at times be redundant. Therefore, > it proves valuable to skip those checks that have already been validated. > > In a typical Secure Boot startup with an initrd, the bootloader is > responsible for verifying artifacts before relinquishing control. In a > verified initrd image, it is reasonable to assume that its content is > also secure. Consequently, verifying module signatures may be deemed > unnecessary. > This patch introduces a feature to skip signature verification during > the initrd boot phase. > I think this is fine to do. There is some risk for users who may use this without realizing what they're actually doing and then would end up creating a security hole. But there are far worse ways you can do that with access to kernel paramaters. P. > Alessandro Carminati (Red Hat) (2): > Modules: Introduce boot-time module signature flexibility > docs: Update kernel-parameters.txt for signature verification > enhancement > > .../admin-guide/kernel-parameters.txt | 9 +++ > include/linux/module.h | 4 ++ > kernel/module/main.c | 14 +++-- > kernel/module/signing.c | 56 +++++++++++++++++++ > 4 files changed, 77 insertions(+), 6 deletions(-) >
gentle ping Il giorno gio 14 set 2023 alle ore 13:28 Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com> ha scritto: > > This patch sets up a new feature to the Linux kernel to have the ability, > while module signature checking is enabled, to delay the moment where > these signatures are effectively checked. The feature is structure into > two main key points, the feature can be enabled by a new command line > kernel argument, while in delay mode, the kernel waits until the > userspace communicates to start checking signature modules. > This operation can be done by writing a value in a securityfs file, > which works the same as /sys/kernel/security/lockdown. > > Patch 1/2: Modules: Introduce boot-time module signature flexibility > The first patch in this set fundamentally alters the kernel's behavior > at boot time by implementing a delayed module signature verification > mechanism. It introduces a new boot-time kernel argument that allows > users to request this delay. By doing so, we aim to capitalize on the > cryptographic checks already performed on the kernel and initrd images > during the secure boot process. As a result, we can significantly > improve the boot speed without compromising system security. > > Patch 2/2: docs: Update kernel-parameters.txt for signature verification > enhancement > The second patch is just to update the kernel parameters list > documentation. > > Background and Motivation > In certain contexts, boot speed becomes crucial. This patch follows the > recognition that security checks can at times be redundant. Therefore, > it proves valuable to skip those checks that have already been validated. > > In a typical Secure Boot startup with an initrd, the bootloader is > responsible for verifying artifacts before relinquishing control. In a > verified initrd image, it is reasonable to assume that its content is > also secure. Consequently, verifying module signatures may be deemed > unnecessary. > This patch introduces a feature to skip signature verification during > the initrd boot phase. > > Alessandro Carminati (Red Hat) (2): > Modules: Introduce boot-time module signature flexibility > docs: Update kernel-parameters.txt for signature verification > enhancement > > .../admin-guide/kernel-parameters.txt | 9 +++ > include/linux/module.h | 4 ++ > kernel/module/main.c | 14 +++-- > kernel/module/signing.c | 56 +++++++++++++++++++ > 4 files changed, 77 insertions(+), 6 deletions(-) > > -- > 2.34.1 >