Signed Kernel Modules Support For Linux 3.7
One of the last merge requests that Linus Torvalds honored this past weekend prior to releasing Linux 3.7-rc1 as the modules pull, which added in module signing support for the Linux kernel.
The work coming out of Red Hat introduces a CONFIG_MODULE_SIG option that enables module signing support. This kernel configuration option causes the build process to sign the kernel modules as they are built and for the resulting kernel to check the modules when they are loaded. The module signing allows for SHA1, SHA224, SHA256, SHA384, and SHA512 cryptographic hashes.
A CONFIG_MODULE_SIG_FORCE option was also added as part of this kernel modules work, which will require any kernel module that is loaded to be signed by a key compiled into the kernel. If the module isn't signed by a key in that kernel, the module will not be loaded.
The accepted patches come via Red Hat's David Howells. The module signing support in its earliest form date back to 2004, but it wasn't agreed upon until just recently about the Linux kernel module signing support and it being acceptable for mainline integration.
The most pressing need for the module signing support is for UEFI SecureBoot so that the Linux kernel can reject loading any unsigned modules, which could pose a threat if it's malicious code or unsigned binary blobs.
The "modules-next" pull that went in on Sunday prior to the closing of the Linux 3.7 kernel that has this "MODSIGN" support can be seen from the web-based Git viewer.
David Howells (30):
Latest Articles & Reviews
Latest Linux News
Most Viewed News This Week