Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: point how to sign kernel module instead of disabling security #166

Open
gmoirod opened this issue Sep 28, 2021 · 9 comments
Open

doc: point how to sign kernel module instead of disabling security #166

gmoirod opened this issue Sep 28, 2021 · 9 comments
Labels
documentation Improvements or additions to documentation

Comments

@gmoirod
Copy link

gmoirod commented Sep 28, 2021

In the readme, you advice to disable UEFI Secure Boot.
I disagree, it is a terrible way and should mention that it exposes the user system to install untrusted modules at low-level.
You should mention the 2 choices :

  1. Disable but be aware
  2. Learn how to self sign modules. You could point to article like these : https://blog.meghadeep.com/how-to-automatically-sign-linux-kernel-modules-after-kernel-update-for-secure-boot/ or https://blog.delouw.ch/2017/04/18/signing-linux-kernel-kodules-and-enforce-to-load-only-signed-modules/

Btw, thank you for this project. i was looking for that long ago :-)
@fangfufu
Copy link
Owner

fangfufu commented Sep 28, 2021
edited

I don't see how self-sign module is going to help you. If you don't turn the kernel module signing on, you still have to be a root user to run modprobe and insmod. After you sign the modules, you are still running the modules with the same function.

I have no plan to update the documentation myself to encourage self-signing of kernel module, as I don't plan to do it myself, and I don't see the point.

@fangfufu fangfufu added the documentation Improvements or additions to documentation label Sep 28, 2021
@gmoirod
Copy link
Author

gmoirod commented Sep 28, 2021

Mmh root access and signed modules are 2 distinct things.
You may want (or be obliged by your company) to turn on UEFI Secure Boot. This prevent you to install software which, in turn, will install low-level libraries (ex : virtualbox does that). Doing this can compromise your system without knowing it.
Self signing allow you to keep this security and load such modules but you are doing it explicitly. So you do it on purpose and you know what it implies.

Moreover, it educates people about security. Never bad 🙂

@fangfufu
Copy link
Owner

Doing this can compromise your system without knowing it.

Sorry, how do you know your self-signed kernel module would not compromise system security?

Self signing allow you to keep this security and load such modules but you are doing it explicitly.

Compiling kernel module and installing it is very explicit already. Your custom kernel module is not going to compile itself and install itself to the correct location, and load itself automatically.

If you are obliged by your company to turn on UEFI, then you probably would have to find out how to self-sign your kernel module.

@fangfufu
Copy link
Owner

Doing this can compromise your system without knowing it.

Sorry, how do you know your self-signed kernel module would not compromise system security?

Self signing allow you to keep this security and load such modules but you are doing it explicitly.

Compiling kernel module and installing it is very explicit already. Your custom kernel module is not going to compile itself, install itself to the correct location, and load itself automatically.

If a user is obliged by the company to turn on UEFI, then the user just have to find out how to sign your kernel module themselves...

@gmoirod
Copy link
Author

gmoirod commented Sep 28, 2021

You do not know.
But the user decide to load it. He knows. So he is responsible for this module.

Compile and install is explicit. Yes.
But advise to turn off a global security system to allow loading one is overkill. It will allow future unsecured and unwanted installation.

I just feel disappointed to read "turn off security" to make it work.
But it is OK. Your project. Your decision.
I'll keep using it anyway.

@fangfufu
Copy link
Owner

fangfufu commented Sep 28, 2021
edited

I think people who are concerned about turning it off knows what it does anyway. The blog posts you linked are not adequate for my purposes, because they don't seem to mention how it works with DKMS.

But advise to turn off a global security system to allow loading one is overkill. It will allow future unsecured and unwanted installation.

You still haven't explained how self-signed kernel module helps with security, when you have to explicitly load the kernel module anyway. If it is someone who cares about serious security, they would know their threat models, they would already make their own judgement on whether or not to turn off secure boot.

@fangfufu
Copy link
Owner

Alright, I am now convinced that Secure Boot is a useful feature to have on, but I do feel giving instructions to users on how to set it up is beyond the scope of the project - I can't set it up properly myself!

@gmoirod
Copy link
Author

gmoirod commented Oct 29, 2021

Hey @fangfufu !
What a turnaround ! I'm glad we finally agree on this point :-)

I agree this is beyond the scope of your project.
As i mentioned in the first post, you should mention the 2 ways to manage that case :

  1. disable Secure Boot with the right disclaimer
  2. point to external articles on how to self-sign module

@fangfufu
Copy link
Owner

Apparently Ubuntu signs the DKMS kernel automatically anyway, but I don't use Ubuntu myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fangfufu @gmoirod