Message ID | 20230914112739.112729-1-alessandro.carminati@gmail.com |
---|---|
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:172:b0:3f2:4152:657d with SMTP id h50csp512852vqi; Thu, 14 Sep 2023 10:36:16 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF4YgKgR7S8B0Z0oxhKadevHOqVRjWAMK8DUTAZSC1ip8SByIMk3PwMXXOEW/v/IokTR+gt X-Received: by 2002:a05:6a20:3d22:b0:14c:4dfc:9766 with SMTP id y34-20020a056a203d2200b0014c4dfc9766mr6857001pzi.46.1694712975782; Thu, 14 Sep 2023 10:36:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694712975; cv=none; d=google.com; s=arc-20160816; b=sS2oCNffqDl6bN/AE997OucSmDl3vJLoUf0+u/tdF7OxjswXuzChq6y2271hMuXPG4 Oi5Z3bekeiB8JHHYMJOXIeiNEMDckJt/YuEKgUNd3q1hza9+jzM7fzKzu22rzgc+7dfN 0wZhnPEBu0Q0aNvJ8IWxg7PnsAHWQeG1FWNfGXOVfP2nGle7IMFQTpLp39gv2YRnSCX0 faBn2zJLGy2/GXz4/xm4y3vewDeILq7wU3aJkVeKBLevFLORLCTYJCUc2lx0MWFuj3xr hh3ylAr0hPNVz8qeGDOUvm4r2v6tGyn1WE29s/FW8t1gIW0RRL8bRHJqyypD8Kka8fYb lWSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=xQ4JSvALWwFERJLvgTZEaGF4FKSCIvpNYYc8CXH5D3Q=; fh=5+Fj4/C1BEhc4B3kvYcX4deFZcFigYEq5dS0FMmuoVc=; b=FdiUsmNw2V3aPmbgdos4Reda8QXxqngbCmcMPUAyebrxx9xwjCxR7BTizD6nkOMBu1 fN6nrP1n0K5u7rCQvFxPotsNya/cMQQIhYxisdQgJdYufhTGmchInrorM8WzTRsEnkog cGXfMWKklXDghE8pwjRZhwlNcM5dGWQSS7CANns8dO7I8KwGjcexydswNB3fKTGsyULS G1BRjEeIjrJ6rJyV3S6sLL15QQKaCV+j1HJ92nJpQzPMYi0d7tDS2IwO5vU2rioMNrCX l4XXofUdDWAt3Nj/zmKzkk/7MRctcOqrfJL6hIrjc/1Klm8HVqTmf/wRcxBEBA0J7Zzz x4gg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=aWHFjFUm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id x63-20020a638642000000b00565617189e2si1774291pgd.839.2023.09.14.10.36.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 10:36:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=aWHFjFUm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id DBBB78325D2F; Thu, 14 Sep 2023 04:28:44 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237808AbjINL2j (ORCPT <rfc822;chrisfriedt@gmail.com> + 35 others); Thu, 14 Sep 2023 07:28:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237872AbjINL20 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 14 Sep 2023 07:28:26 -0400 Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58B8E2109; Thu, 14 Sep 2023 04:28:18 -0700 (PDT) Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-401da71b83cso9083515e9.2; Thu, 14 Sep 2023 04:28:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694690896; x=1695295696; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=xQ4JSvALWwFERJLvgTZEaGF4FKSCIvpNYYc8CXH5D3Q=; b=aWHFjFUmu7LSGmcs1LejzkoRXO/xS3DmcN8e+ZcMY2QmpE5NiegdkFudCexMadWZf2 D/qLMXeOVpuQ28d6meaAp/iu3r6dt2x7jDbTgAca6Gr4YTtvvedMz/7JWZg0ym8hBNvP xD02SwF9eNK0F2aM01su00WUlnwoIIVFE0g/sZhk8Dr3jGXk/5MmfYPieG5Xv2HTQI5z hFxQpcBWd0F1R8dtd3eEIUQsQVO74AgwSh0CN+fC4cTt0hxGKUAb1wRzNgD79tXJAho4 t+lkMh8zZwBh8gMH96lTE/r/cz7TjZTV2r6TNgv4jNIiTJKWbsLXwLJ5ATzRXM0DL5Ie FFPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694690896; x=1695295696; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xQ4JSvALWwFERJLvgTZEaGF4FKSCIvpNYYc8CXH5D3Q=; b=WiIPoNeTZv0uUPFYl1LFoakNXYQKf3efb7Kc7XCwcGpy4TfXqBacY0FBby1+oVj0Q9 wHcpF/qaAYKV0gghaoWfE48S5Y0aJNRu0nTqnCfYHfI0CutsSnk76WmuXRhWglp/xgtF 9E4GIoasMCG9ATlCfiRK/g6o/jvXwHU+PUq3BSCJQsFBUptZj2IStK5X8Tl32rKo501b G4kjC/jSDSyJ4gb4VM0lwyrjrdiwJynlTOjfPy1sfsiPv8cMj9wv7D8vvyB14ePsYWQr 4LKNnbcGGwWEhbYuK8hmh4rV2KKXsn44HQTJjF9Dg6vokSCDl2eUARclm/bYzy3JuiNs 0/BA== X-Gm-Message-State: AOJu0YzjtcXgfokzV/znam+Hah89/elzWZbiMpBVaa74QbX6weLf9Dtd eS4S64fO6iHISisN+prk4iMw6Aes7frh9Q== X-Received: by 2002:a1c:7912:0:b0:3fe:2b60:b24e with SMTP id l18-20020a1c7912000000b003fe2b60b24emr4484855wme.29.1694690896217; Thu, 14 Sep 2023 04:28:16 -0700 (PDT) Received: from lab.hqhome163.com ([194.183.10.152]) by smtp.googlemail.com with ESMTPSA id l36-20020a05600c1d2400b003fef5402d2dsm4786764wms.8.2023.09.14.04.28.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 04:28:15 -0700 (PDT) From: "Alessandro Carminati (Red Hat)" <alessandro.carminati@gmail.com> To: linux-modules@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Luis Chamberlain <mcgrof@kernel.org>, Jonathan Corbet <corbet@lwn.net>, linux-doc@vger.kernel.org, Alessandro Carminati <alessandro.carminati@gmail.com> Subject: [RFC PATCH 0/2] Enhancing Boot Speed and Security with Delayed Module Signature Verification Date: Thu, 14 Sep 2023 11:27:37 +0000 Message-Id: <20230914112739.112729-1-alessandro.carminati@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-type: text/plain Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Thu, 14 Sep 2023 04:28:44 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1777035353288963436 X-GMAIL-MSGID: 1777035353288963436 |
Series |
Enhancing Boot Speed and Security with Delayed Module Signature Verification
|
|
Message
Alessandro Carminati (Red Hat)
Sept. 14, 2023, 11:27 a.m. UTC
This patch sets up a new feature to the Linux kernel to have the ability, while module signature checking is enabled, to delay the moment where these signatures are effectively checked. The feature is structure into two main key points, the feature can be enabled by a new command line kernel argument, while in delay mode, the kernel waits until the userspace communicates to start checking signature modules. This operation can be done by writing a value in a securityfs file, which works the same as /sys/kernel/security/lockdown. Patch 1/2: Modules: Introduce boot-time module signature flexibility The first patch in this set fundamentally alters the kernel's behavior at boot time by implementing a delayed module signature verification mechanism. It introduces a new boot-time kernel argument that allows users to request this delay. By doing so, we aim to capitalize on the cryptographic checks already performed on the kernel and initrd images during the secure boot process. As a result, we can significantly improve the boot speed without compromising system security. Patch 2/2: docs: Update kernel-parameters.txt for signature verification enhancement The second patch is just to update the kernel parameters list documentation. Background and Motivation In certain contexts, boot speed becomes crucial. This patch follows the recognition that security checks can at times be redundant. Therefore, it proves valuable to skip those checks that have already been validated. In a typical Secure Boot startup with an initrd, the bootloader is responsible for verifying artifacts before relinquishing control. In a verified initrd image, it is reasonable to assume that its content is also secure. Consequently, verifying module signatures may be deemed unnecessary. This patch introduces a feature to skip signature verification during the initrd boot phase. Alessandro Carminati (Red Hat) (2): Modules: Introduce boot-time module signature flexibility docs: Update kernel-parameters.txt for signature verification enhancement .../admin-guide/kernel-parameters.txt | 9 +++ include/linux/module.h | 4 ++ kernel/module/main.c | 14 +++-- kernel/module/signing.c | 56 +++++++++++++++++++ 4 files changed, 77 insertions(+), 6 deletions(-)
Comments
On 9/14/23 04:27, Alessandro Carminati (Red Hat) wrote: > Update kernel-parameters.txt to reflect new deferred signature > verification. > Enhances boot speed by allowing unsigned modules in initrd after > bootloader check. > > Signed-off-by: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com> > --- > Documentation/admin-guide/kernel-parameters.txt | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 0c38a8af95ce..beec86f0dd05 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -3410,6 +3410,15 @@ > Note that if CONFIG_MODULE_SIG_FORCE is set, that > is always true, so this option does nothing. > > + module_sig_check_wait= > + This parameter enables delayed activation of module > + signature checks, deferring the process until userspace > + triggers it. Once activated, this setting becomes > + permanent and cannot be reversed. This feature proves > + valuable for incorporating unsigned modules within > + initrd, especially after bootloader verification. > + By employing this option, boot times can be quicker. > + Please keep the entries here in alphabetical order. This new entry should be after module_blacklist, not before it. Thanks. > module_blacklist= [KNL] Do not load a comma-separated list of > modules. Useful for debugging problem modules. >
On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote: > This patch sets up a new feature to the Linux kernel to have the ability, > while module signature checking is enabled, to delay the moment where > these signatures are effectively checked. The feature is structure into > two main key points, the feature can be enabled by a new command line > kernel argument, while in delay mode, the kernel waits until the > userspace communicates to start checking signature modules. > This operation can be done by writing a value in a securityfs file, > which works the same as /sys/kernel/security/lockdown. > > Patch 1/2: Modules: Introduce boot-time module signature flexibility > The first patch in this set fundamentally alters the kernel's behavior > at boot time by implementing a delayed module signature verification > mechanism. It introduces a new boot-time kernel argument that allows > users to request this delay. By doing so, we aim to capitalize on the > cryptographic checks already performed on the kernel and initrd images > during the secure boot process. As a result, we can significantly > improve the boot speed without compromising system security. > > Patch 2/2: docs: Update kernel-parameters.txt for signature verification > enhancement > The second patch is just to update the kernel parameters list > documentation. > > Background and Motivation > In certain contexts, boot speed becomes crucial. This patch follows the > recognition that security checks can at times be redundant. Therefore, > it proves valuable to skip those checks that have already been validated. > > In a typical Secure Boot startup with an initrd, the bootloader is > responsible for verifying artifacts before relinquishing control. In a > verified initrd image, it is reasonable to assume that its content is > also secure. Consequently, verifying module signatures may be deemed > unnecessary. > This patch introduces a feature to skip signature verification during > the initrd boot phase. > I think this is fine to do. There is some risk for users who may use this without realizing what they're actually doing and then would end up creating a security hole. But there are far worse ways you can do that with access to kernel paramaters. P. > Alessandro Carminati (Red Hat) (2): > Modules: Introduce boot-time module signature flexibility > docs: Update kernel-parameters.txt for signature verification > enhancement > > .../admin-guide/kernel-parameters.txt | 9 +++ > include/linux/module.h | 4 ++ > kernel/module/main.c | 14 +++-- > kernel/module/signing.c | 56 +++++++++++++++++++ > 4 files changed, 77 insertions(+), 6 deletions(-) >
gentle ping Il giorno gio 14 set 2023 alle ore 13:28 Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com> ha scritto: > > This patch sets up a new feature to the Linux kernel to have the ability, > while module signature checking is enabled, to delay the moment where > these signatures are effectively checked. The feature is structure into > two main key points, the feature can be enabled by a new command line > kernel argument, while in delay mode, the kernel waits until the > userspace communicates to start checking signature modules. > This operation can be done by writing a value in a securityfs file, > which works the same as /sys/kernel/security/lockdown. > > Patch 1/2: Modules: Introduce boot-time module signature flexibility > The first patch in this set fundamentally alters the kernel's behavior > at boot time by implementing a delayed module signature verification > mechanism. It introduces a new boot-time kernel argument that allows > users to request this delay. By doing so, we aim to capitalize on the > cryptographic checks already performed on the kernel and initrd images > during the secure boot process. As a result, we can significantly > improve the boot speed without compromising system security. > > Patch 2/2: docs: Update kernel-parameters.txt for signature verification > enhancement > The second patch is just to update the kernel parameters list > documentation. > > Background and Motivation > In certain contexts, boot speed becomes crucial. This patch follows the > recognition that security checks can at times be redundant. Therefore, > it proves valuable to skip those checks that have already been validated. > > In a typical Secure Boot startup with an initrd, the bootloader is > responsible for verifying artifacts before relinquishing control. In a > verified initrd image, it is reasonable to assume that its content is > also secure. Consequently, verifying module signatures may be deemed > unnecessary. > This patch introduces a feature to skip signature verification during > the initrd boot phase. > > Alessandro Carminati (Red Hat) (2): > Modules: Introduce boot-time module signature flexibility > docs: Update kernel-parameters.txt for signature verification > enhancement > > .../admin-guide/kernel-parameters.txt | 9 +++ > include/linux/module.h | 4 ++ > kernel/module/main.c | 14 +++-- > kernel/module/signing.c | 56 +++++++++++++++++++ > 4 files changed, 77 insertions(+), 6 deletions(-) > > -- > 2.34.1 >