1

I know the Linux kernel has a key retention service even though I haven't used it myself.

I'm constructing a system where anybody with root cannot check the keys in that service that were registered by plain users. Assuming the kernel was preconfigured (and verified at boot time) so that root is properly restricted (e.g., cannot investigate memory, etc), what would be a way to prevent the root access to the user keys in that service?

Improve this question

1 Answer 1

Reset to default
8

No. Since root can overwrite kernel memory, any software-based protection mechanism can't work.

root is properly restricted (e.g., cannot investigate memory, etc),

If a process's uid is 0 in the root PID namespace, it is a super user and can do such things. Now your "etc" might mean "heavily modified system", but that can mean anything, including "replaced the Linux kernel with MacOS", so either you define that "etc" very precisely, or we need to assume that you're "just simply root on a Linux system".

There are safe, Linux-kernel-supported ways of storing cryptographic secrets, which become completely impossible to read at all, but can be used to encrypt or decrypt things. Different problem, and different solutions (TPM drivers, secure enclaves).

I'm not sure what exactly you're looking for here – you picked the "Kernel Key Retention Service", and that's really meant to hold readable keys for kernel components that need them (there's really no need for your kernel to hold the keys for, say, your HTTPS server; that's a userland problem, and can better be solved in userland. But it needs a way to hold the keys for, say, kerberos so you can mount encrypted NFS, because that's a kernel problem).

If you're instead looking for the same mechanism with which your kernel was unalterably-by-software "verified at boot time" to store keys, you should really be looking into TPM/TPM2, e.g. this redhat document.

Improve this answer
8
  • How can root overwrite kernel memory? Commented Nov 10 at 13:42
  • 2
    @StephenKitt init_module(2) with a really minimal module, or kexec_load(2) your own kernel, or, if enabled in the kernel, mknod'ing /dev/mem and writing to it, or by opening /sys/bus/pci/devices/…/resource{N} of a DMA-capable device (NIC!) and making it do DMA operations on kernel memory Commented Nov 10 at 14:22
  • 4
    well, I secureboot a kernel (I'm too lazy to do measured boot on my laptop, but in principle I could), so that's verified at boot. I could still open /dev/mem on that Fedora machine. That's what I meant with "unless you really specify what your "etc" means": verified at boot does not imply restrained root. It just means that if all processes run as root are trustworthy (and so is the kernel and its modules), then the system is "intact". Now, OPs question seems to imply "assuming I have a misbehaving super user", and that's not covered by boot-time attestation. Commented Nov 10 at 17:12
  • 5
    No. Since root can overwrite kernel memory That does ignore the possibility of configuring an SE Linux-based RBAC system that could prevent root from reading kernel memory. Good luck getting such a system configured and running, nevermind maintaining it - I've actually been involved in efforts that tried... Commented Nov 10 at 18:29
  • 1
    @MarcusMüller Actually, Fedora runs with the "lockdown" feature enabled (man kernel_lockdown), whose goal is to stop root from arbitrarily tampering with the kernel (when under UEFI secure boot). That'll stop root from loading arbitrary modules, unless they have access to an enrolled private key to sign them. And the DMA attacks will be stopped by the IOMMU on anything halfway modern (and properly configured). Commented Nov 11 at 13:49

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.