Linux kernel module signing is retarded.

I have been digging around to figure out what I need to do regarding kernel module signing and safe boot with my kernel modules on Linux. Looks like things in this area have settled down now and we have a working solution most distros will pick up, shim+MOK (machine owner keys).

The problem with the MOK mechanism is that except for Redhat systems (maybe SUSE) 3rd party kernel modules must at least be partially compiled on the end-user system. This means the private key used to sign the kernel module must exist at least temporarily on the end-user system. Anytime you implement public key encryption and your solution private key is not kept secret, you are doing something wrong. Signing kernel modules built on the end-user system is pointless and retarded, no argument necessary.

For Redhat systems, I might eventually end up signing prebuilt kernel modules using my organization private key. For users of every other distro the course of action is clear: if a user wants to run my software then he/she will have to disable secure boot.

There is no feasible way to improve the situation for 3rd party developers. The Linux kernel devs will never implement a stable kernel ABI to allow general binary kernel module distribution, and if kernel modules are built on the end-user system then they can not be signed using a vendor private key.

And no, getting my kernel modules into the kernel source tree is not a solution. There has been a lot of really good engineering that the established kernel devs would not take into the kernel tree, and there is plenty of shoddy engineering they definately should not take. But regardless, the user should always have the right to choose what software they want to run on their systems. Kernel features and distro choices that arbitrarily limit user freedoms are crossing a line.

Leave a Reply