linux: provide a pre-made kernel signing key #107524
Conversation
|
Not sure why GH thinks @raboof's commit I based off of isn't in staging already but it's the same one that was merged yesterday. /marvin opt-in |
|
Hi! I'm an experimental bot. My goal is to guide this PR through its stages, hopefully ending with a merge. You can read up on the usage here. |
Without this, the kernel would generate a random one for us which obviously isn't reproducible. `nix-build -A linux --check` succeeds now! (Tested at different times with different kernel) Note: This does not improve or worsen kernel security since we don't enforce signatures. Command used to generate key file: nix run nixpkgs.openssl -c openssl req -new -nodes -utf8 -sha256 -days 36500 \ -batch -x509 -config x509.genkey -outform PEM -out r13yKey.pem -keyout \ r13yKey.pem x509.genkey: ``` [ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = NixOS CN = Public reproducibility key, DO NOT TRUST ```
Atemu
force-pushed
the
r13y/kernel-module-signing-key
branch
from
30ad1b4
to
c746fe8
Compare
|
Oi, gimme that label back @ofborg. Looks like the commit was rebased, not merged; rebased. |
|
I'm not sure I'm in favor of this. I get the reproducibility aspect, but now if someone turns on signature enforcement in their config (e.g. with As is, this assumption would not be true anymore, in fact anyone could build modules and load them. Maybe this could be conditional on the relevant signature enforcement options? IIRC the kernel build already uses the module system to do that kind of config matching magic in other places. |
|
If your security relies on the kernel build generating a ephemeral key during build, you should enforce its ephermerality rather than assuming it IMO. Perhaps even build your config around Almost nothing in pkgs uses the module system, linuxManualConfig is passed an attrset of arguments, i.e. |
I don't think this is strictly speaking true, in theory: we enable SECURITY_LOCKDOWN_LSM by default, and users could be doing "echo 'confidentiality' > /sys/kernel/security/lockdown". Without this PR, this would protect against loading malicious kernel modules. With this PR, it would no longer protect against it, since the attacker could use the private key from the repo to sign their malicious modules. That said, I think it is also somewhat unlikely people are actually using SECURITY_LOCKDOWN_LSM. Specifically, I think people are unlikely to use SECURITY_LOCKDOWN_LSM on 'regular' NixOS machines: since this feature is intended to protect you even when the attacker has gained root, I think this is a feature you would use on machines where you don't build new kernels on the machine itself, but you'd generate images with something like nixos-generators. In that context you'd probably want to edit your kernel config to only ship the modules you want to be available (and possibly use Given this, I think it would be better to disable |
|
Marvin pinged me, but I don't think this is really ready for review and/or merging, since the discussion around the PR and its consequences is not done yet. I like the fact that the key explicitly says to not trust it, but should we even introduce potential security pitfalls (as described in earlier comments to this PR) as a sacrifice for reproducibility? @Atemu does this configuration even boot with signature enforcement? Can an out-of-tree built-by-Nix module (e.g. openrazer drivers) be loaded? Will these modules be signed too? I think this PR needs lots of documentation before it's ready to merge, and before that, I can't say that I would merge this if I had rights to merge. I'll set "awaiting changes" so Marvin wouldn't bother us until the discussion is complete. /status awaiting_changes |
|
By default, there is no security issue here. The kernels built by hydra would be just as Out of tree module loading should not have changed. I didn't check but logic dictates that, previously, you should not have been able to load OOT modules with signature enforcement because the key required by the kernel was generated during its build process and deleted by the nix-daemon afterwards. I'll check if disabling module signatures completely is possible as that is indeed a cleaner solution, builds are running... |
|
It works! I had to disable |
|
Yes it did lock a few things down but, without enforced signatures, you could get access to those anyways because you could insert an arbitrary module so I don't think we'd lose anything. |
|
Reminder: Please review! This Pull Request is awaiting review. If you are the assigned reviewer, please have a look. Try to find another reviewer if necessary. If you can't, please say so. If the status is not accurate, please change it. If nothing happens, this PR Note: This feature is currently broken. The bot will not actually change the status. If you see this message multiple times, please request a status change manually. |
|
I think this is supposed to be closed now, according to the new PR mentioned above, therefore closing. |
|
I think it would've gotten closed when staging made it into master. |
Motivation for this change
Without this, the kernel would generate a random one for us which obviously
isn't reproducible.
nix-build -A linux --checksucceeds now!(Tested at different times with different kernel)
Note: This does not improve or worsen kernel security since we don't enforce
signatures.
Command used to generate key file:
nix run nixpkgs.openssl -c openssl req -new -nodes -utf8 -sha256 -days 36500
-batch -x509 -config x509.genkey -outform PEM -out r13yKey.pem -keyout
r13yKey.pem
x509.genkey:
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)