Disable runtime Kernel Module Loading on MicroOS/Kubic?
Hi everyone, I was looking into something on SLE Micro/openSUSE MicroOS and came to the realisation that kernel modules are a potential risk to the atomicity of behaviour users expect from MicroOS. We tell users that MicroOS will move from one known state to another, but as a kernel module could do literally anything, there is nothing stopping a kernel module being loaded after boot and undermining our 'known state' expectation. Worse, in theory you could even have a kernel module loaded by an rpm, which could be executed from the transactional-update snapshot, making the module resident and active even if the snapshot is never booted into. What is everyones thoughts about possibly disabling kernel module loading by executing the following at the last stage of MicroOS's boot process? echo 1 > /proc/sys/kernel/modules_disabled This will prevent kernel modules from being loaded once MicroOS is booted, and cannot be set back to 0 without a reboot. Is there any scenario where we really might want a MicroOS system loading a kernel module after boot? Regards, -- Richard Brown Linux Distribution Engineer - Future Technology Team Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer
-----Original Message----- From: Richard Brown
Sent: 11 June 2021 14:22 To: kubic@lists.opensuse.org Subject: Disable runtime Kernel Module Loading on MicroOS/Kubic? Hi everyone,
I was looking into something on SLE Micro/openSUSE MicroOS and came to the realisation that kernel modules are a potential risk to the atomicity of behaviour users expect from MicroOS.
We tell users that MicroOS will move from one known state to another, but as a kernel module could do literally anything, there is nothing stopping a kernel module being loaded after boot and undermining our 'known state' expectation.
Worse, in theory you could even have a kernel module loaded by an rpm, which could be executed from the transactional-update snapshot, making the module resident and active even if the snapshot is never booted into.
What is everyones thoughts about possibly disabling kernel module loading by executing the following at the last stage of MicroOS's boot process?
echo 1 > /proc/sys/kernel/modules_disabled
This will prevent kernel modules from being loaded once MicroOS is booted, and cannot be set back to 0 without a reboot.
Is there any scenario where we really might want a MicroOS system loading a kernel module after boot?
I think some modules can be loaded with hotplug. This would be relevant especially on desktop micros. Cheers, Guillaume
Regards, -- Richard Brown Linux Distribution Engineer - Future Technology Team
Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
On Fri, 2021-06-11 at 12:30 +0000, Guillaume Gardet wrote:
-----Original Message----- From: Richard Brown
Sent: 11 June 2021 14:22 To: kubic@lists.opensuse.org Subject: Disable runtime Kernel Module Loading on MicroOS/Kubic? Hi everyone,
I was looking into something on SLE Micro/openSUSE MicroOS and came to the realisation that kernel modules are a potential risk to the atomicity of behaviour users expect from MicroOS.
We tell users that MicroOS will move from one known state to another, but as a kernel module could do literally anything, there is nothing stopping a kernel module being loaded after boot and undermining our 'known state' expectation.
Worse, in theory you could even have a kernel module loaded by an rpm, which could be executed from the transactional-update snapshot, making the module resident and active even if the snapshot is never booted into.
What is everyones thoughts about possibly disabling kernel module loading by executing the following at the last stage of MicroOS's boot process?
echo 1 > /proc/sys/kernel/modules_disabled
This will prevent kernel modules from being loaded once MicroOS is booted, and cannot be set back to 0 without a reboot.
Is there any scenario where we really might want a MicroOS system loading a kernel module after boot?
I think some modules can be loaded with hotplug. This would be relevant especially on desktop micros.
Well this could easily be something we keep different for the desktop but set only for regular MicroOS. Does anyone have any objection to this outside of the Desktop context? Regards,
On Mon, Jun 21, 2021 at 5:39 AM Richard Brown
On Fri, 2021-06-11 at 12:30 +0000, Guillaume Gardet wrote:
-----Original Message----- From: Richard Brown
Sent: 11 June 2021 14:22 To: kubic@lists.opensuse.org Subject: Disable runtime Kernel Module Loading on MicroOS/Kubic? Hi everyone,
I was looking into something on SLE Micro/openSUSE MicroOS and came to the realisation that kernel modules are a potential risk to the atomicity of behaviour users expect from MicroOS.
We tell users that MicroOS will move from one known state to another, but as a kernel module could do literally anything, there is nothing stopping a kernel module being loaded after boot and undermining our 'known state' expectation.
Worse, in theory you could even have a kernel module loaded by an rpm, which could be executed from the transactional-update snapshot, making the module resident and active even if the snapshot is never booted into.
What is everyones thoughts about possibly disabling kernel module loading by executing the following at the last stage of MicroOS's boot process?
echo 1 > /proc/sys/kernel/modules_disabled
This will prevent kernel modules from being loaded once MicroOS is booted, and cannot be set back to 0 without a reboot.
Is there any scenario where we really might want a MicroOS system loading a kernel module after boot?
I think some modules can be loaded with hotplug. This would be relevant especially on desktop micros.
Well this could easily be something we keep different for the desktop but set only for regular MicroOS.
Does anyone have any objection to this outside of the Desktop context?
I think this would lead to unexpected issues as a lot of software tends to dynamically load modules when they see it not loaded (with e.g. modprobe). There are a fair number of kernel modules in Linux itself that we typically don't load at early boot and dynamically load them as hardware is brought up by udev. Additionally, loading file systems and other things would fail if we did this, which could be extremely irritating to people trying to crash-cart or otherwise work with a server in an emergency situation. I'm not sure this is really worth it. -- 真実はいつも一つ!/ Always, there's only one truth!
participants (3)
-
Guillaume Gardet
-
Neal Gompa
-
Richard Brown