Linux 4.7 To Gain New Security Feature Ported From Chrome OS
James Morris has made known the security subsystem updates intended for the Linux 4.7 kernel and it includes one addition worth mentioning.
Linux 4.7 is set to get the "LoadPin" Linux Security Module (LSM). LoadPin is ported from Chrome OS and allows limiting the medium/location where any kernel modules and firmware can be loaded. In other words, ensuring any modules, firmware, or other assets touching the kernel are only loaded from a trusted source.
Kees Cook who has been working to bring this to the mainline Linux kernel explained of LoadPin LSM, "this provides the mini-LSM 'loadpin' that intercepts the now consolidated kernel_file_read LSM hook so that a system can keep all loads coming from a single trusted filesystem. This is what Chrome OS uses to pin kernel module and firmware loading to the read-only crypto-verified dm-verity partition so that kernel module signing is not needed."
As an alternative to dm-verity, the LoadPin LSM could even specify that kernel modules/firmware only be loaded from say a CD/DVD-ROM. Though even if the kernel is built with CONFIG_SECURITY_LOADPIN, it still can be defeated by setting loadpin.enabled=0 at boot-time.
The 4.7 security subsystem pull request can be viewed via the kernel mailing list.
Linux 4.7 is set to get the "LoadPin" Linux Security Module (LSM). LoadPin is ported from Chrome OS and allows limiting the medium/location where any kernel modules and firmware can be loaded. In other words, ensuring any modules, firmware, or other assets touching the kernel are only loaded from a trusted source.
Kees Cook who has been working to bring this to the mainline Linux kernel explained of LoadPin LSM, "this provides the mini-LSM 'loadpin' that intercepts the now consolidated kernel_file_read LSM hook so that a system can keep all loads coming from a single trusted filesystem. This is what Chrome OS uses to pin kernel module and firmware loading to the read-only crypto-verified dm-verity partition so that kernel module signing is not needed."
As an alternative to dm-verity, the LoadPin LSM could even specify that kernel modules/firmware only be loaded from say a CD/DVD-ROM. Though even if the kernel is built with CONFIG_SECURITY_LOADPIN, it still can be defeated by setting loadpin.enabled=0 at boot-time.
The 4.7 security subsystem pull request can be viewed via the kernel mailing list.
4 Comments