Red Hat Working On Delayed Module Signature Verification To Speed-Up Linux Boot Times

Written by Michael Larabel in Linux Security on 15 September 2023 at 06:13 AM EDT. 26 Comments
LINUX SECURITY
A Red Hat engineer has published patches to optionally allow delayed module signature verification in an effort to have a secure Linux system but to allow for faster boot times.

Red Hat engineer Alessandro Carminati explained in a new set of kernel patches he submitted under a "request for comments" (RFC) flag:
"This patch sets up a new feature to the Linux kernel to have the ability, while module signature checking is enabled, to delay the moment where these signatures are effectively checked. The feature is structure into two main key points, the feature can be enabled by a new command line kernel argument, while in delay mode, the kernel waits until the
userspace communicates to start checking signature modules. This operation can be done by writing a value in a securityfs file, which works the same as /sys/kernel/security/lockdown.

Patch 1/2: Modules: Introduce boot-time module signature flexibility The first patch in this set fundamentally alters the kernel's behavior at boot time by implementing a delayed module signature verification mechanism. It introduces a new boot-time kernel argument that allows users to request this delay. By doing so, we aim to capitalize on the cryptographic checks already performed on the kernel and initrd images during the secure boot process. As a result, we can significantly improve the boot speed without compromising system security.

Patch 2/2: docs: Update kernel-parameters.txt for signature verification enhancement The second patch is just to update the kernel parameters list documentation.

Background and Motivation
In certain contexts, boot speed becomes crucial. This patch follows the recognition that security checks can at times be redundant. Therefore, it proves valuable to skip those checks that have already been validated.

In a typical Secure Boot startup with an initrd, the bootloader is responsible for verifying artifacts before relinquishing control. In a verified initrd image, it is reasonable to assume that its content is also secure. Consequently, verifying module signatures may be deemed unnecessary. This patch introduces a feature to skip signature verification during the initrd boot phase."

With the proposed patches, module_sig_check_wait= is the new boot time argument proposed to allow delayed activation of module signature checks in an effort to speed-up boot times.

module_sig_check_wait option

Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week