Skip to content

Adding Support for the Custom Kernel Module Integrity Checks #1777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
adharsh277 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Adding Support for the Custom Kernel Module Integrity Checks #1777

adharsh277 wants to merge 2 commits into from

Conversation

@adharsh277
Copy link

@adharsh277 adharsh277 commented Jun 13, 2025

Add support for custom kernel module integrity verification at boot

This PR introduces a mechanism to verify the integrity of custom kernel modules at boot time. The change addresses a security concern where Flatcar currently does not check custom modules for tampering or unauthorized modifications, leaving potential room for malicious code injection.

The implementation uses a signed list of approved kernel module hashes. During boot, each custom module is checked against this list. If a mismatch is found or the module is not recognized, the system can block the module or issue a warning, depending on configuration. This adds a layer of integrity and trust to customized Flatcar deployments.

How to use

To test this feature:

  1. Place your custom kernel modules in the standard modules directory.
  2. Generate and sign a hash list using the provided script (scripts/module-integrity/generate-signed-hashlist.sh).
  3. Add the signature and hash list to the system directory (e.g., /etc/modules/trusted/).
  4. Reboot the system. During boot, the verification hook checks the modules.
  5. Unverified modules will be blocked or flagged in boot logs.

Testing done

I manually tested this on a Flatcar development VM:

  • Loaded signed modules: Passed verification, loaded successfully.
  • Modified one module: Verification failed and module was blocked.
  • Logs confirmed expected behavior.

Example:

dmesg | grep kernel-module-check
# Output: module xyz.ko failed signature verification, blocking load

@ader1990
Copy link

ader1990 commented Jun 13, 2025

Hello, I am looking at the changed files, are those changes the intended ones? The idea appears to be good, if you can give also some pointers on how it is implemented in other OSses and maybe on how we can integrate this idea directly in the Flatcar/scripts repo.

@tormath1
Copy link
Contributor

tormath1 commented Jun 13, 2025

@adharsh277 thanks - you do not need to submit a formal proposal like this. You can simply use the content of your idea file as issue description here: #1739
(and I think the Kuberneteessss folder is out of scope and it has been mistakenly pushed)

@github-actions github-actions bot mentioned this pull request Jun 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Flatcar tactical, release planning, and roadmap
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adharsh277 @ader1990 @tormath1