Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+-XxSF2JKURyb3o7Y4ZR1P20rEH7zOoeSzHfUJLj+m_G_3kcg@mail.gmail.com>
Date: Tue, 21 Jun 2022 10:41:22 -0700
From: Igor Seletskiy <i@...udlinux.com>
To: oss-security@...ts.openwall.com
Subject: Request for comment: kmod signing by AlmaLinux OS Foundation

Hello list, I have a security-related question for the Linux community at
large.

AlmaLinux OS is a community rebuild of RHEL 8.x & RHEL 9.x done by the
non-profit AlmaLinux OS Foundation. The foundation is community-driven and
done for the benefit of the community. As part of its service, it has
signed shim, kernel & signs kmods that come as part of RHEL to provide
SecureBoot & ability to load kmods when secure boot is enabled. Note that
our shim is already signed and works without OEM/customers adding any keys
to the BIOS

Yet, the goal of the organization is to serve the community beyond where
RHEL servers, which might include the need to ship additional kernels &
kernel modules.

AlmaLinux technical team is considering starting signing:

1. Additional kernels (like kernel for RaspberryPi or the latest mainline
kernel)

2. Additional kernel modules from AlmaLinux OS Foundation sponsors.

We believe that such an approach might benefit the community as a whole.
Yet, we are mindful of security implications and want to ask for feedback
from the AlmaLinux community, the broader Linux community, as well as from
security experts.


At this moment we want to focus on kmod signing. Here are some of the
conditions that the AlmaLinux technical team considers to require

*The conditions would be: *1. The module should be GPLv2, published to
Github/available to all 2. AlmaLinux will publish the signed modules in its
main repository, maintaining an additional repository for such module 3.
The module can only come from sponsoring members 4. It has to be approved
by the AlmaLinux tech committee 5. Additionally, it might require the
approval of the board. 6. AlmaLinux OS would publish information for all
such modules built. 7. Require 3rd audit from vetted security audit vendors
(optional? how to deal with security issues/need for quick release
turnaround for security-related vulnerabilities/changes?)

We would appreciate feedback from the community.


Regards,
Igor Seletskiy @ AlmaLinux OS Foundation

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.