Message ID | 20220509142504.493925-1-juergh@canonical.com |
---|---|
Headers | show |
Series | linux: Staging modules should be unsigned (LP: #1642368) | expand |
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 5/9/22 08:25, Juerg Haefliger wrote: > Modules under the drivers/staging hierarchy get little attention when it comes > to vulnerabilities. It is possible that memory mapping tricks that expose > kernel internals would go unnoticed. Therefore, do not sign staging modules so > that they cannot be loaded in a secure boot environment. > > [juergh: The above is the original bug that introduced this feature in Xenial. > We seem to have lost it in Impish probably because of breaking changes in > Makefile.modinst. So bring it back and while at it: > - Remove modules that are no longer in the staging area from the list. > - Add a check that verifies that only listed staging modules are signed.] > > v2: > - Move signature-inclusion file to the debian/ directory to keep the source > tree clean. > - Strip signatures from unlisted staging drivers in a build rule rather than > modifying the upstream Makefile to not sign them. > > Juerg Haefliger (3): > UBUNTU: [Packaging] Move and update signature inclusion list > UBUNTU: [Packaging] Strip signatures from untrusted staging modules > UBUNTU: [Packaging] Add module-signature-check > > debian/rules.d/2-binary-arch.mk | 11 +++ > debian/rules.d/4-checks.mk | 10 ++- > debian/scripts/module-signature-check | 67 +++++++++++++++++++ > .../staging => debian}/signature-inclusion | 7 -- > 4 files changed, 87 insertions(+), 8 deletions(-) > create mode 100755 debian/scripts/module-signature-check > rename {drivers/staging => debian}/signature-inclusion (73%) >
On Mon, May 09, 2022 at 04:25:01PM +0200, Juerg Haefliger wrote: > Modules under the drivers/staging hierarchy get little attention when it comes > to vulnerabilities. It is possible that memory mapping tricks that expose > kernel internals would go unnoticed. Therefore, do not sign staging modules so > that they cannot be loaded in a secure boot environment. > > [juergh: The above is the original bug that introduced this feature in Xenial. > We seem to have lost it in Impish probably because of breaking changes in > Makefile.modinst. So bring it back and while at it: > - Remove modules that are no longer in the staging area from the list. > - Add a check that verifies that only listed staging modules are signed.] > > v2: > - Move signature-inclusion file to the debian/ directory to keep the source > tree clean. > - Strip signatures from unlisted staging drivers in a build rule rather than > modifying the upstream Makefile to not sign them. Makes sense to me, I haven't checked if all the scripts and packaging is 100% correct, but I think we can apply it to unstable / kinetic and see how things are looking during the next rebuild. Therefore: Acked-by: Andrea Righi <andrea.righi@canonical.com>
On Mon, May 09, 2022 at 04:25:01PM +0200, Juerg Haefliger wrote: > Modules under the drivers/staging hierarchy get little attention when it comes > to vulnerabilities. It is possible that memory mapping tricks that expose > kernel internals would go unnoticed. Therefore, do not sign staging modules so > that they cannot be loaded in a secure boot environment. > > [juergh: The above is the original bug that introduced this feature in Xenial. > We seem to have lost it in Impish probably because of breaking changes in > Makefile.modinst. So bring it back and while at it: > - Remove modules that are no longer in the staging area from the list. > - Add a check that verifies that only listed staging modules are signed.] > > v2: > - Move signature-inclusion file to the debian/ directory to keep the source > tree clean. > - Strip signatures from unlisted staging drivers in a build rule rather than > modifying the upstream Makefile to not sign them. Applied to kinetic/linux. Thanks, -Andrea
with these patches applied, the ddebs (debug package) staging modules are still signed From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb I don't think there is currently a tool that has ability to find & strip digital signature only, whilst keeping the rest of the module intact. I wonder if we need to extend sign-file or kmodsign to support stripping the signature alone. Or do some hackish script in awk to achieve that. $ modinfo ./pi433/pi433.ko filename: /home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko alias: spi:pi433 license: GPL description: Driver for Pi433 author: Marcus Wolf, <linux@wolf-entwicklungen.de> srcversion: E6314D95D9F61FF16D934B4 alias: of:N*T*CSmarthome-Wolf,pi433C* alias: of:N*T*CSmarthome-Wolf,pi433 depends: staging: Y retpoline: Y intree: Y name: pi433 vermagic: 5.18.0-6-generic SMP preempt mod_unload modversions sig_id: PKCS#7 signer: Build time autogenerated kernel key sig_key: 66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40 sig_hashalgo: sha512 signature: 30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2: 96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C: A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58: F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4: AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3: 71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F: 31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48: 41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC: F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37: 8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42: 54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85: 9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C: 92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D: 3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F: 00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B: 28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD: C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4: C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF: DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78: 02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90: 09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE: 57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD: 3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01: EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D: A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B: 72:D7:CC:E5:17:F9:52:EF:42:50:38:F7
On Tue, 31 May 2022 16:49:51 +0100 Dimitri John Ledkov <dimitri.ledkov@canonical.com> wrote: > with these patches applied, the ddebs (debug package) staging modules > are still signed Rats. > From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb > > I don't think there is currently a tool that has ability to find & > strip digital signature only, whilst keeping the rest of the module > intact. I wonder if we need to extend sign-file or kmodsign to support > stripping the signature alone. Or do some hackish script in awk to > achieve that. Probably best to go back to the original approach of modifying the upstream Makefile snippet and only sign explicitly listed modules. But I don't like the inclusion file in the source tree. How about keeping that in the debian/ directory? ...Juerg > $ modinfo ./pi433/pi433.ko > filename: > /home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko > alias: spi:pi433 > license: GPL > description: Driver for Pi433 > author: Marcus Wolf, <linux@wolf-entwicklungen.de> > srcversion: E6314D95D9F61FF16D934B4 > alias: of:N*T*CSmarthome-Wolf,pi433C* > alias: of:N*T*CSmarthome-Wolf,pi433 > depends: > staging: Y > retpoline: Y > intree: Y > name: pi433 > vermagic: 5.18.0-6-generic SMP preempt mod_unload modversions > sig_id: PKCS#7 > signer: Build time autogenerated kernel key > sig_key: 66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40 > sig_hashalgo: sha512 > signature: 30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2: > 96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C: > A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58: > F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4: > AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3: > 71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F: > 31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48: > 41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC: > F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37: > 8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42: > 54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85: > 9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C: > 92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D: > 3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F: > 00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B: > 28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD: > C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4: > C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF: > DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78: > 02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90: > 09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE: > 57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD: > 3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01: > EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D: > A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B: > 72:D7:CC:E5:17:F9:52:EF:42:50:38:F7 >
On Thu, 2 Jun 2022 08:51:50 +0200 Juerg Haefliger <juerg.haefliger@canonical.com> wrote: > On Tue, 31 May 2022 16:49:51 +0100 > Dimitri John Ledkov <dimitri.ledkov@canonical.com> wrote: > > > with these patches applied, the ddebs (debug package) staging modules > > are still signed > > Rats. > > > From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb > > > > I don't think there is currently a tool that has ability to find & > > strip digital signature only, whilst keeping the rest of the module > > intact. I wonder if we need to extend sign-file or kmodsign to support > > stripping the signature alone. Or do some hackish script in awk to > > achieve that. > > Probably best to go back to the original approach of modifying the upstream > Makefile snippet and only sign explicitly listed modules. But I don't like the > inclusion file in the source tree. How about keeping that in the debian/ > directory? Oh maybe not possible since the source (without debian/) gets rsynced someplace else for the build? > ...Juerg > > > > $ modinfo ./pi433/pi433.ko > > filename: > > /home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko > > alias: spi:pi433 > > license: GPL > > description: Driver for Pi433 > > author: Marcus Wolf, <linux@wolf-entwicklungen.de> > > srcversion: E6314D95D9F61FF16D934B4 > > alias: of:N*T*CSmarthome-Wolf,pi433C* > > alias: of:N*T*CSmarthome-Wolf,pi433 > > depends: > > staging: Y > > retpoline: Y > > intree: Y > > name: pi433 > > vermagic: 5.18.0-6-generic SMP preempt mod_unload modversions > > sig_id: PKCS#7 > > signer: Build time autogenerated kernel key > > sig_key: 66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40 > > sig_hashalgo: sha512 > > signature: 30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2: > > 96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C: > > A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58: > > F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4: > > AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3: > > 71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F: > > 31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48: > > 41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC: > > F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37: > > 8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42: > > 54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85: > > 9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C: > > 92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D: > > 3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F: > > 00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B: > > 28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD: > > C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4: > > C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF: > > DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78: > > 02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90: > > 09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE: > > 57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD: > > 3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01: > > EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D: > > A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B: > > 72:D7:CC:E5:17:F9:52:EF:42:50:38:F7 > > >
Everything should still know where the root of the source tree is, even during out of tree builds. And although it is a layering violation, it does seem appropriate to keep the list in Debian/ dir. Separately I will try to work on a sign-file / kmodsign tool to strip signatures from kernel modules. On Thu, 2 Jun 2022, 07:55 Juerg Haefliger, <juerg.haefliger@canonical.com> wrote: > On Thu, 2 Jun 2022 08:51:50 +0200 > Juerg Haefliger <juerg.haefliger@canonical.com> wrote: > > > On Tue, 31 May 2022 16:49:51 +0100 > > Dimitri John Ledkov <dimitri.ledkov@canonical.com> wrote: > > > > > with these patches applied, the ddebs (debug package) staging modules > > > are still signed > > > > Rats. > > > > > From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb > > > > > > I don't think there is currently a tool that has ability to find & > > > strip digital signature only, whilst keeping the rest of the module > > > intact. I wonder if we need to extend sign-file or kmodsign to support > > > stripping the signature alone. Or do some hackish script in awk to > > > achieve that. > > > > Probably best to go back to the original approach of modifying the > upstream > > Makefile snippet and only sign explicitly listed modules. But I don't > like the > > inclusion file in the source tree. How about keeping that in the debian/ > > directory? > > Oh maybe not possible since the source (without debian/) gets rsynced > someplace else for the build? > > > ...Juerg > > > > > > > $ modinfo ./pi433/pi433.ko > > > filename: > > > > /home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko > > > alias: spi:pi433 > > > license: GPL > > > description: Driver for Pi433 > > > author: Marcus Wolf, <linux@wolf-entwicklungen.de> > > > srcversion: E6314D95D9F61FF16D934B4 > > > alias: of:N*T*CSmarthome-Wolf,pi433C* > > > alias: of:N*T*CSmarthome-Wolf,pi433 > > > depends: > > > staging: Y > > > retpoline: Y > > > intree: Y > > > name: pi433 > > > vermagic: 5.18.0-6-generic SMP preempt mod_unload modversions > > > sig_id: PKCS#7 > > > signer: Build time autogenerated kernel key > > > sig_key: > 66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40 > > > sig_hashalgo: sha512 > > > signature: > 30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2: > > > 96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C: > > > A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58: > > > F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4: > > > AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3: > > > 71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F: > > > 31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48: > > > 41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC: > > > F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37: > > > 8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42: > > > 54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85: > > > 9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C: > > > 92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D: > > > 3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F: > > > 00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B: > > > 28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD: > > > C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4: > > > C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF: > > > DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78: > > > 02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90: > > > 09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE: > > > 57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD: > > > 3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01: > > > EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D: > > > A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B: > > > 72:D7:CC:E5:17:F9:52:EF:42:50:38:F7 > > > > > > >