Request for comment: kmod signing by AlmaLinux OS Foundation

AlmaLinux OS is a community rebuild of RHEL 8.x & RHEL 9.x done by the non-profit AlmaLinux OS Foundation. The foundation is community-driven and done for the benefit of the community. As part of its service, it has signed shim, kernel & signs kmods that come as part of RHEL to provide SecureBoot & ability to load kmods when secure boot is enabled. Note that our shim is already signed and works without OEM/customers adding any keys to the BIOS

Yet, the goal of the organization is to serve the community beyond where RHEL servers, which might include the need to ship additional kernels & kernel modules.

AlmaLinux technical team is considering starting signing:

  1. Additional kernels (like kernel for RaspberryPi or the latest mainline kernel)
  2. Additional kernel modules from AlmaLinux OS Foundation sponsors.

We believe that such an approach might benefit the community as a whole. Yet, we are mindful of security implications and want to ask for feedback from the AlmaLinux community, the broader Linux community, as well as from security experts.

At this moment we want to focus on kmod signing. Here are some of the conditions that the AlmaLinux technical team considers to require

The conditions would be:

  1. The module should be GPLv2, published to Github/available to all
  2. AlmaLinux will publish the signed modules in its main repository, maintaining an additional repository for such module
  3. The module can only come from sponsoring members
  4. It has to be approved by the AlmaLinux tech committee
  5. Additionally, it might require the approval of the board.
  6. AlmaLinux OS would publish information for all such modules built.
  7. Require 3rd audit from vetted security audit vendors (optional? how to deal with security issues/need for quick release turnaround for security-related vulnerabilities/changes?)

We would appreciate feedback from the community.

1 Like

Hi @iseletsk

Many thanks for this post.

I am rather new to Linux, and a happy user of AlmaLinux as a desktop OS. My usage is therefore much less critical that people running it on enterprise servers, but I came across the topic of kmod signing too.

This was raised after I experienced some issues with Wireguard, which was running smoothly until something broke it.

I received great support from the community here:

However, after considering the two options (remove SecureBoot or sign kmod-wireguard), I felt that:

  • keeping SecureBoot is the right thing to do
  • signing a module myself is not something I could do, as I considered not having the technical skills to “competently” sign a module (while I trusted the module, it brought a general feeling a bit like signing a blank check).

For my own little Wireguard issue, I chose a workaround (OpenVPN) waiting for AlmaLinux 9, but it’s great to read your post about this matter, as I believe it will address expectations of a number of existing and future AlmaLinux users.

In terms of Product Management or software lifecycle, the proposed steps look great. The step 7 would provide a higher level of assurance as to the software security supply chain but I am just wondering how this could be done as securily and efficiently as possible (audit from vetted securiy vendor is a reliable solution, but how would it affect delivery cycle/speed? could it be somehow integrated in a DevSecOps approach?).

Happy to contribute/volunteer from a Product Management / Process perspective if that could be useful.

And thanks again for raising this topic!

Alex

1 Like

Thank you Alex. How to balance security & speed while depending on 3rd parties is indeed an issue.

Thank you for the offer to volunteer and help out. Are you interested in just this particular topic, or helping out with AlmaLinux as a whole?

1 Like

Hi @iseletsk,

Both!

AlmaLinux is a great distribution based on Red Hat - so on it own, it says already a lot - but on top of that, I find the UX is great and it’s impressive to see how much is being delivered by AlmaLinux to the community.

As CIS published their benchmarks for AlmaLinux too, seems I’m not alone in liking the distro :smiley:

I can contribute with best practices (product, projects, programs, devops), or also do some product user testing or feedback. As a relatively new linux practitioner, I can also make a “newbie corner” or think about ways to know more about the user community, their expectations or find new ideas to foster further adoption.

By the way, I have another computer running Red Hat (8-6 for the moment but planning to move to 9 shortly), so I have access to the (unbelievable) Red Hat documentation.

Happy to contribute, indeed !