HEADS UP: Notion of untrusted/insecure kernel modules
5 views
Skip to first unread message
Shawn Webb
Apr 8, 2022, 7:00:27 PM4/8/22
to HardenedBSD Users
Hey all,
I've been working on a little feature to prevent the loading of kernel
modules that HardenedBSD has deemed untrustworthy or insecure. The
feature is still in its infancy, but we have a working implementation.
I've committed the work to 14-CURRENT and plan to MFC to 13-STABLE in
a week or so. No MFC to 12-STABLE is planned.
In order to load a kernel module that has been marked as
insecure/untrusted, users must set the hardening.insecure_kmod sysctl
tunable to 1. Otherwise, the KLD API and related tooling (kldload(8))
will return permission denied (EPERM).
Untrusted kernel modules listed in loader.conf(5) will still be loaded
at boot-time. Likewise, untrusted kernel modules compiled directly
into the kernel will work just fine.
For reference, the GitLab issue tracking the progress of the
implementation:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/79
And the associated wiki documentation:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#untrustedinsecure-kernel-modules
Please let me know if you have any questions, comments, or concerns.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
I've been working on a little feature to prevent the loading of kernel
modules that HardenedBSD has deemed untrustworthy or insecure. The
feature is still in its infancy, but we have a working implementation.
I've committed the work to 14-CURRENT and plan to MFC to 13-STABLE in
a week or so. No MFC to 12-STABLE is planned.
In order to load a kernel module that has been marked as
insecure/untrusted, users must set the hardening.insecure_kmod sysctl
tunable to 1. Otherwise, the KLD API and related tooling (kldload(8))
will return permission denied (EPERM).
Untrusted kernel modules listed in loader.conf(5) will still be loaded
at boot-time. Likewise, untrusted kernel modules compiled directly
into the kernel will work just fine.
For reference, the GitLab issue tracking the progress of the
implementation:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/79
And the associated wiki documentation:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#untrustedinsecure-kernel-modules
Please let me know if you have any questions, comments, or concerns.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Shawn Webb
Apr 18, 2022, 11:35:02 AM4/18/22
to HardenedBSD Users
On Fri, Apr 08, 2022 at 07:00:24PM -0400, Shawn Webb wrote:
> Hey all,
>
> I've been working on a little feature to prevent the loading of kernel
> modules that HardenedBSD has deemed untrustworthy or insecure. The
> feature is still in its infancy, but we have a working implementation.
> I've committed the work to 14-CURRENT and plan to MFC to 13-STABLE in
> a week or so. No MFC to 12-STABLE is planned.
>
> In order to load a kernel module that has been marked as
> insecure/untrusted, users must set the hardening.insecure_kmod sysctl
> tunable to 1. Otherwise, the KLD API and related tooling (kldload(8))
> will return permission denied (EPERM).
>
> Untrusted kernel modules listed in loader.conf(5) will still be loaded
> at boot-time. Likewise, untrusted kernel modules compiled directly
> into the kernel will work just fine.
>
> For reference, the GitLab issue tracking the progress of the
> implementation:
> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/79
>
> And the associated wiki documentation:
> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#untrustedinsecure-kernel-modules
>
> Please let me know if you have any questions, comments, or concerns.
First victim: i915kms driver depends on lindebugfs.ko, which has been
> Hey all,
>
> I've been working on a little feature to prevent the loading of kernel
> modules that HardenedBSD has deemed untrustworthy or insecure. The
> feature is still in its infancy, but we have a working implementation.
> I've committed the work to 14-CURRENT and plan to MFC to 13-STABLE in
> a week or so. No MFC to 12-STABLE is planned.
>
> In order to load a kernel module that has been marked as
> insecure/untrusted, users must set the hardening.insecure_kmod sysctl
> tunable to 1. Otherwise, the KLD API and related tooling (kldload(8))
> will return permission denied (EPERM).
>
> Untrusted kernel modules listed in loader.conf(5) will still be loaded
> at boot-time. Likewise, untrusted kernel modules compiled directly
> into the kernel will work just fine.
>
> For reference, the GitLab issue tracking the progress of the
> implementation:
> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/79
>
> And the associated wiki documentation:
> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#untrustedinsecure-kernel-modules
>
> Please let me know if you have any questions, comments, or concerns.
marked as insecure. So for those who use HardenedBSD on systems with
integrated Intel graphics and use i915kms (drm-*-kmod ports), you'll
need to set the hardening.insecure_kmod sysctl node to 1.
Reply all
Reply to author
Forward
0 new messages