StarlingX

CentOS: Kernel packages include kernel module signing key

Bug #1988361 reported by Jiping Ma
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Jiping Ma

Bug Description

this is a security issue, because now everyone can sign and insert their own modules into the kernel, even on systems with UEFI secure boot and/or the lockdown kernel feature enabled.

Severity

Major, due to the security impact

Steps to Reproduce

# In my VM:

$ ls -1 /usr/src/kernels/5.10.74-200.1644.tis.rt.el7.x86_64/signing_key.*
/usr/src/kernels/5.10.74-200.1644.tis.rt.el7.x86_64/signing_key.pem
/usr/src/kernels/5.10.74-200.1644.tis.rt.el7.x86_64/signing_key.x509

$ rpm -q -f /usr/src/kernels/5.10.74-200.1644.tis.rt.el7.x86_64/signing_key.pem
kernel-rt-devel-5.10.74-200.1644.tis.rt.el7.x86_64
I was able to sign my own version of the ice driver with these files and insert it into the kernel, and I did not encounter any module signature taint warnings in "/sys/module/ice/taint". (The letter "E" in that file would indicate a signature issue, but that letter did not appear as I was able to sign the module.)

Expected Behavior

Signing keys should not be available in installed systems.

Actual Behavior

Kernel module signing keys are available in the kernel-devel and kernel-rt-devel packages.

Reproducibility

Reproducible on CentOS-based starlingx.

System Configuration

Not applicable.

Load info (eg: 2022-03-10_20-00-07)

Not applicable.

Last Pass

Timestamp/Logs

None.

Alarms

Not applicable.

Test Activity

Normal use / Discussion with colleagues.

Workaround

None.

Jiping Ma (jma11)
Changed in starlingx:
assignee: nobody → Jiping Ma (jma11)
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → High
tags: added: stx.distro.other
Revision history for this message
Ghada Khalil (gkhalil) wrote :

screening: marking as low priority given the plan to fully transition starlingx to Debian. Can still be fixed based on the discretion of the OS team.

Changed in starlingx:
importance: High → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kernel (master)

Reviewed: https://review.opendev.org/c/starlingx/kernel/+/854935
Committed: https://opendev.org/starlingx/kernel/commit/4aa9658077ce81a16ebf53ea95539ac138df47ed
Submitter: "Zuul (22348)"
Branch: master

commit 4aa9658077ce81a16ebf53ea95539ac138df47ed
Author: Jiping Ma <email address hidden>
Date: Fri Aug 26 07:57:29 2022 -0400

    CentOS: Place module signing keys in a separate package

    Currently we package our module signing keys as part of
    the 'kernel-devel' package. This means that anyone obtaining
    our 'kernel-devel' package, which we do publish, can produce
    signed modules. This violates the intent of secure boot.

    Re-package our module signing keys into a separate package
    known as 'kernel-devel-keys'.

    Testing:
    - An ISO image can be built out successfully.
    - Installation of the ISO image is successful with standard and
      low-latency profiles.
    - Make sure there are not the keys in the lab that installed
      with the ISO image.

    Closes-Bug: 1988361

    Signed-off-by: Jiping Ma <email address hidden>
    Change-Id: I4b5235fdb0fffa32cc7fd40c7870d0ddeec6595e

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.8.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.