Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
turn off kernel loading modules
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Sun Oct 09, 2016 3:58 pm    Post subject: turn off kernel loading modules Reply with quote

if one decides to turn off kernel load modules, to enhance the security against any type of rootkit, will the kernel still be able to load modules like nvidia and virtualbox that are modprobed before the kernel load modules is turned off?
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Sun Oct 09, 2016 4:04 pm    Post subject: Reply with quote

Hold your horses, you want to disable loading modules and then you want to load modules? What kind of security would that be if it was possible?
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 21766
Location: here

PostPosted: Sun Oct 09, 2016 4:27 pm    Post subject: Reply with quote

And try to sign module?
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Sun Oct 09, 2016 4:28 pm    Post subject: Reply with quote

i would like the modules that are running now to be loaded, but i would like to prevent any new modules that might be inserted into the kernel to be loaded.
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Sun Oct 09, 2016 4:37 pm    Post subject: Reply with quote

fedeliallalinea wrote:
And try to sign module?


so when building the kernel with:

Enable module signature verification

Code:
--- Enable loadable module support
[*]   Module signature verification
[*]     Require modules to be validly signed
[*]     Automatically sign all modules
      Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->


is enough to stop potential rootkits to be loaded into the kernel, or does the kernel needs to be build with proper keys also?
Back to top
View user's profile Send private message
Logicien
Veteran
Veteran


Joined: 16 Sep 2005
Posts: 1368
Location: Montréal

PostPosted: Sun Oct 09, 2016 5:40 pm    Post subject: Reply with quote

I think that modules signatures prevent the load of any module not signed with the key. I have not seen any option to sign the kernel image itself. It may be the job of a bootloader to prevent any not signed kernel image to load in memory.

The only options in the Enable load module support section of the Linux kernel configuration related to modules load are Force module loading and Module versioning support. They allow to try to load a module without version information and from an other version than the running kernel ifself what is say to be a bad idea.

A way to prevent a module from being load is to not compile it or to blacklist it. The kernel load the modules as they are need, the administrator can load some too. You have the Security options and the Kernel hacking sections that can be of an help for security.
_________________
Paul
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5761

PostPosted: Sun Oct 09, 2016 7:32 pm    Post subject: Reply with quote

farmer.ro wrote:
i would like the modules that are running now to be loaded, but i would like to prevent any new modules that might be inserted into the kernel to be loaded.

Code:
printf 1 >| /proc/sys/kernel/modules_disabled

Cannot be reverted until next reboot.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum