
Linux 4.7 is set to get the "LoadPin" Linux Security Module (LSM). LoadPin is ported from Chrome OS and allows limiting the medium/location where any kernel modules and firmware can be loaded. In other words, ensuring any modules, firmware, or other assets touching the kernel are only loaded from a trusted source.
Kees Cook who has been working to bring this to the mainline Linux kernel explained of LoadPin LSM, "this provides the mini-LSM 'loadpin' that intercepts the now consolidated kernel_file_read LSM hook so that a system can keep all loads coming from a single trusted filesystem. This is what Chrome OS uses to pin kernel module and firmware loading to the read-only crypto-verified dm-verity partition so that kernel module signing is not needed."
As an alternative to dm-verity, the LoadPin LSM could even specify that kernel modules/firmware only be loaded from say a CD/DVD-ROM. Though even if the kernel is built with CONFIG_SECURITY_LOADPIN, it still can be defeated by setting loadpin.enabled=0 at boot-time.
The 4.7 security subsystem pull request can be viewed via the kernel mailing list.
4 Comments