CONFIG MODULE SIG

From Exploitee.rs
Jump to: navigation, search

Overview

The CONFIG_MODULE_SIG parameter implements cryptographic signing of all loadable kernel modules (LKM). With this option configured the kernel will use compiled in public keys to verify the authenticity of the module. As per David Howells LKML post:

There are several reasons why these patches are useful, amongst which are:

(1) to protect against accidentally-corrupted modules causing damage;

(2) to protect against maliciously modified modules causing damage;

(3) to allow a sysadmin (or more likely an IT department) to enforce a policy that only known and approved modules shall be loaded onto machines which they're expected to support;

(4) to allow other support providers to do likewise, or at least to _detect_ the fact that unsupported modules are loaded;

(5) to allow the detection of modules replaced by a second-order distro or a preloaded Linux purveyor.

NOTE: The patch attached to the referenced LKML post is not entirely consistent with the implementation on the Revue. Since Logitech has not made a GPL drop, we can not verify the specific implementation at this time.

Logitech Implementation

The CONFIG_MODULE_SIG option is enabled in the kernel used under normal operation. It is not enabled when in (the initial) recovery mode. Analysis of modules from the Logitech Revue gives an indication of how Logitech has likely modified the standard Linux kernel patch. Using objdump to inspect the ELF sections reveals that the Revue appears to use a section called '.signature' rather than '.module_sig'.

This is seen in index 11 of the 'objdump -h' output provided below from a module used by the Revue:

	sec_kernel.ko:     file format elf32-i386

	Sections:
	Idx Name          Size      VMA       LMA       File off  Algn
	  0 .text         00002960  00000000  00000000  00000040  2**4
					  CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
	  1 .rodata       000002bc  00000000  00000000  000029a0  2**2
					  CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA
	  2 .rodata.str1.1 00000199  00000000  00000000  00002c5c  2**0
					  CONTENTS, ALLOC, LOAD, READONLY, DATA
	  3 .rodata.str1.4 00000478  00000000  00000000  00002df8  2**2
					  CONTENTS, ALLOC, LOAD, READONLY, DATA
	  4 .modinfo      000000ba  00000000  00000000  00003280  2**5
					  CONTENTS, ALLOC, LOAD, READONLY, DATA
	  5 __versions    00000580  00000000  00000000  00003340  2**5
					  CONTENTS, ALLOC, LOAD, READONLY, DATA
	  6 .data         000000c4  00000000  00000000  000038c0  2**5
					  CONTENTS, ALLOC, LOAD, RELOC, DATA
	  7 .gnu.linkonce.this_module 00000280  00000000  00000000  00003a00  2**7
					  CONTENTS, ALLOC, LOAD, RELOC, DATA, LINK_ONCE_DISCARD
	  8 .bss          00000664  00000000  00000000  00003c80  2**5
					  ALLOC
	  9 .comment      0000006c  00000000  00000000  00003c80  2**0
					  CONTENTS, READONLY
	 10 .note.GNU-stack 00000000  00000000  00000000  00003cec  2**0
					  CONTENTS, READONLY
	 11 .signature    00000200  00000000  00000000  00003cec  2**0
					  CONTENTS, READONLY