On Fri, Apr 08, 2022 at 07:00:24PM -0400, Shawn Webb wrote:
> Hey all,
>
> I've been working on a little feature to prevent the loading of kernel
> modules that HardenedBSD has deemed untrustworthy or insecure. The
> feature is still in its infancy, but we have a working implementation.
> I've committed the work to 14-CURRENT and plan to MFC to 13-STABLE in
> a week or so. No MFC to 12-STABLE is planned.
>
> In order to load a kernel module that has been marked as
> insecure/untrusted, users must set the hardening.insecure_kmod sysctl
> tunable to 1. Otherwise, the KLD API and related tooling (kldload(8))
> will return permission denied (EPERM).
>
> Untrusted kernel modules listed in loader.conf(5) will still be loaded
> at boot-time. Likewise, untrusted kernel modules compiled directly
> into the kernel will work just fine.
>
> For reference, the GitLab issue tracking the progress of the
> implementation:
>
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/79
>
> And the associated wiki documentation:
>
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#untrustedinsecure-kernel-modules
>
> Please let me know if you have any questions, comments, or concerns.
marked as insecure. So for those who use HardenedBSD on systems with