StarlingX

Debian: Kernel packages include kernel module signing key

Bug #1992214 reported by Jiping Ma
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Jiping Ma

Bug Description

Brief Description
This is a security issue, because now everyone can sign and insert their own modules into the kernel, even on systems with UEFI secure boot and/or the lockdown kernel feature enabled.

Severity

Major, due to the security impact

Steps to Reproduce

sysadmin@yow2-xr11-001:~$ uname -a
Linux yow2-xr11-001 5.10.0-6-rt-amd64 #1 SMP PREEMPT_RT StarlingX Debian 5.10.112-1.stx.22 (2022-09-23 x86_64 GNU/Linux

$sysadmin@yow2-xr11-001:~$ ls /usr/src/kernels/5.10.0-6-rt-amd64/signing_key.*
/usr/src/kernels/5.10.0-6-rt-amd64/signing_key.pem
/usr/src/kernels/5.10.0-6-rt-amd64/signing_key.x509

sysadmin@yow2-xr11-001:~$ dpkg -S /usr/src/kernels/5.10.0-6-rt-amd64/signing_key.pem
linux-rt-kbuild-5.10: /usr/src/kernels/5.10.0-6-rt-amd64/signing_key.pem
Expected Behavior

Signing keys should not be available in installed systems.

Actual Behavior

Kernel module signing keys are available in the linux-kbuild-5.10 and linux-rt-kbuild-5.10 packages.

Reproducibility

Reproducible on Debian-based starlingx.
System Configuration

Not applicable.

Load info (eg: 2022-03-10_20-00-07)

Not applicable.

Last Pass

Timestamp/Logs

None.

Alarms

Not applicable.

Test Activity

Normal use.

Workaround

None.

Jiping Ma (jma11)
Changed in starlingx:
assignee: nobody → Jiping Ma (jma11)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kernel (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/kernel/+/861822

Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.8.0 stx.debian stx.distro.other
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kernel (master)

Reviewed: https://review.opendev.org/c/starlingx/kernel/+/861822
Committed: https://opendev.org/starlingx/kernel/commit/bc9df334b73b03346e6acae74f2f82cfd4a8b83b
Submitter: "Zuul (22348)"
Branch: master

commit bc9df334b73b03346e6acae74f2f82cfd4a8b83b
Author: Jiping Ma <email address hidden>
Date: Fri Oct 7 23:23:43 2022 -0400

    Debian: Place module signing keys in a separate package

    Currently we package our module signing keys as part of
    the 'linux-kbuild' package. This means that anyone obtaining
    our 'linux-kbuild' package, which we do publish, can produce
    signed modules. This violates the intent of secure boot.

    Re-package our module signing keys into a separate package
    known as 'linux-keys'.

    Testing:
    - Build all out of tree modules successfully.
    - An ISO image can be built out successfully.
    - Installation of the ISO image is successful with standard and
      low-latency profiles.
    - The out of tree modules can be loaded successfully when secure boot is
      enabled.
    - Make sure there are not the keys in the lab that installed
      with the ISO image.

    Closes-Bug: 1992214

    Signed-off-by: Jiping Ma <email address hidden>
    Change-Id: I73e80b5869ebdc8b57771b7f016d9c9037a0d512

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.