[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1040901: linux modules must not be signed with CA key, bump ABI every upload



Source: linux
Version: 6.3.0-7.7
Severity: grave
Tags: security
X-Debbugs-Cc: jak@debian.org

I know there's some work in progress but it appears we don't have a bug
for it yet. I raised this yesterday in our weekly upstream shim/grub
cabal meetings and Debian's current approach to sign modules with the
same key and not bump ABI on every upload should be considered a bug.

The current approach means that a kernel cannot be easily revoked,
you would need to add its kernel modules to the dbx as well, which
is a grave security bug.

The state of the art solution is to sign everything using an ephemeral key,
which yes, it will cause the package to be unreproducible, but if nobody
commits to working on that merkle tree of modules, than this is very
well going to have to be the solution to the issue.

A reasonable compromise at a first step for a limited time is to
ensure that

1) the kernel refuses to load modules for a different ABI in lockdown,
   for example, the modprobe --force-vermagic does not work anymore.
2) each upload bumps the ABI [this is also required for the ephemeral
   key and merkle tree approaches as otherwise the modules become
   no longer loadable]

This is still somewhat problematic as there may be bugs in the code
validating parsing the kernel module sections that could be exploited
if there were some weird modules, but it's a significant improvement
(turning this from grave to serious I guess).

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en


Reply to: