CentOS: Kernel packages include kernel module signing key
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Jiping Ma |
Bug Description
this is a security issue, because now everyone can sign and insert their own modules into the kernel, even on systems with UEFI secure boot and/or the lockdown kernel feature enabled.
Severity
Major, due to the security impact
Steps to Reproduce
# In my VM:
$ ls -1 /usr/src/
/usr/src/
/usr/src/
$ rpm -q -f /usr/src/
kernel-
I was able to sign my own version of the ice driver with these files and insert it into the kernel, and I did not encounter any module signature taint warnings in "/sys/module/
Expected Behavior
Signing keys should not be available in installed systems.
Actual Behavior
Kernel module signing keys are available in the kernel-devel and kernel-rt-devel packages.
Reproducibility
Reproducible on CentOS-based starlingx.
System Configuration
Not applicable.
Load info (eg: 2022-03-
Not applicable.
Last Pass
Timestamp/Logs
None.
Alarms
Not applicable.
Test Activity
Normal use / Discussion with colleagues.
Workaround
None.
Changed in starlingx: | |
assignee: | nobody → Jiping Ma (jma11) |
Changed in starlingx: | |
status: | New → In Progress |
Changed in starlingx: | |
importance: | Undecided → High |
tags: | added: stx.distro.other |
tags: | added: stx.8.0 |
screening: marking as low priority given the plan to fully transition starlingx to Debian. Can still be fixed based on the discretion of the OS team.