Harden the loading of new modules to the kernel after install #148
Conversation
not sure if this would be the right way to do it
|
Not sure yet. I will add some comments about the implementation now before I comment on the actual functionality. |
debian/security-misc.postinst
Outdated
| /usr/libexec/security-misc/permission-lockdown | ||
| permission_hardening | ||
|
|
||
| systemctl enable disable-module-loading.service |
There was a problem hiding this comment.
This fortunately isn't needed. #DEBHELPER automagically does that, it honors systemd preset and whatnot.
|
Your new implementation solution is is a clever approach. Restricting kernel module loading was attempted in the past:
It stalled. There was some breakage in the past. Is this tested? Would these things still be broken with the new implementation? |
|
Yes I have tested most anything. Anything under modules-load.d loads perfectly. No issues there. So this kind of breakage is not present. When it comes to virtualbox, I think that might still break, but probably not. Because far as I know virtualbox loads its own module to the kernel for virtualization. Thats why it is also not compatible with secure boot without adjusting. But the question is, when does virtual box load its module. If it happens during boot automatically, then no breakage. Just install. It won't work, sure. Then reboot. And it will work. If virtualbox tries to load its modules only when you launch the application, then it won't work. To be honest, there are better virtualization tools, so breaking virtualbox wouldn't be a big deal for me. To be even more honest, I think there is a good chance it doesn't break anyway because it loads the modules on startup. Ok quick research results: for example on arch, virtualbox loads its modules on startup automatically. So it wouldn't break. They do it with the file |
|
Perhaps a separate issue. (Not suggested as a replacement. Enforcing signature verification would be in addition.) |
|
On a somewhat unrelated topic, I would prefer the modules signed by Debian organization and not the user. Firstly, Debian signs everything they ship anyway. So enrolling the key would be a piece of cake. And also constantly signing stuff on the user end is not the easiest thing to maintain. Because the signing process would have to extremely restricted with a mac policy. Else, once compromised, nothing would stop the intruder from signing their stuff with the private keys that are on the users machine. I would say this is a little unrelated tho. This pull is about loading modules at all after boot, not that if they are signed or not. |
|
Or if you want to add some third party modules that are not signed by Debian, Kicksecure/Whonix can take it upon itself to sign everything on their end with their keys. Then the user would enroll Whonix's keys. |
|
Yessir, we do it before sysinit.target now. I think that has to be enough. |
|
Is there any particular issue that is preventing this from being merged, like a lack of testing of a certain application like virtualbox? Or lack of testing in general. |
|
I was adjusting the Kicksecure / Whonix VirtualBox installer today to cope up with modules load disabled or module signature verification enforcement. https://forums.whonix.org/t/whonix-linux-installer-development-discussion/15917/147 |
|
Also testing this isn't simple. Specifically testing this with Qubes VM kernel is difficult because that itself is difficult to use. Trying to resolve 1 issue and running into another issue. |
2 participants
Normally it is recommended to have
kernel.modules_disabledset to1. This is the case for all hardened systems, where they pre-define all the modules to be loaded if any. This prevents the loading of new modules to the kernel. Having this set as a sysctl configuration breaks the system, because it also deniessystemd-modules-load.servicethe ability to load the modules that are legitemately needed. I found a workaround. I created a systemd service. It triggers on start up but only aftersystemd-modules-load.servicehas already done its thing. Then it disables the loading of new modules to the kernel by setting the aforementioned kernel variable. The system is fully functional.The only scenario where this would be somewhat inconvenient is maybe if and only if the following exact things happen:
But if everything is plugged in on system startup, nothing can break even in such an edge scenario, I think.
There are some stuff I am not sure of. First of all, it works as is perfectly. I put the service under
lib/systemd/system/harden-module-loading.serviceand the executable that sets the kernel variable inusr/libexec/security-misc/disable-kernel-module-loading. If another path is more desirable for the executable, we can change that. I also enable the service after install by adding the linesystemctl enable disable-module-loading.serviceinto the filedebian/security-misc.postinst. I am not sure if this would be right method of enabling the service. If it needs to be taken care of somewhere else, this can also be fixed.