Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

New Package Request: [Add Support for Custom Kernel Module Integrity Checks]

Open adharsh277 opened this issue 7 months ago • 6 comments

Feature Request: [Add Support for Custom Kernel Module Integrity Checks]

Problem

Flatcar currently does not verify the integrity of custom kernel modules at boot. This results in potential security risks for users deploying their own modules, as malicious code could be injected.

Proposed Idea

I propose introducing a verification hook during the boot process that checks each custom kernel module against a signed list of hashes stored in the system. If a module isn't recognized or is modified, the system can either block it or raise a warning.

Value

This improves security and transparency for Flatcar users customizing their systems. It helps system administrators ensure only verified modules are used, reducing the risk of tampering or misconfiguration.

Related PR

Originally proposed as a pull request: [https://github.com/flatcar/flatcar-linux/pull/1737]

adharsh277 avatar May 05 '25 16:05 adharsh277

Hi @adharsh277 and thanks for the request, can you update the following link here: https://github.com/flatcar/flatcar-linux/pull/1737? It's a 404.

tormath1 avatar Jun 06 '25 08:06 tormath1

Hi @adharsh277 and thanks for the request, can you update the following link here: https://github.com/flatcar/flatcar-linux/pull/1737? It's a 404.

Hi @tormath1, You're right — the link is currently broken because I haven’t pushed the changes to GitHub yet. I'm working on pushing the custom-kernel-integrity-check branch with the proposed changes soon. Once it's live, I’ll update the PR and link it here. Appreciate your patience!

adharsh277 avatar Jun 10 '25 15:06 adharsh277

Thanks a lot for contributing to Flatcar and looking forward to see your contribution. Do not hesitate if you need help to join the Slack or Matrix Flatcar channels: https://github.com/flatcar/flatcar?tab=readme-ov-file#chat

tormath1 avatar Jun 10 '25 15:06 tormath1

Of course, and that's my pleasure @tormath1

adharsh277 avatar Jun 12 '25 06:06 adharsh277

Hi @adharsh277 any reason to close this issue? Are you not interested anymore in this feature?

tormath1 avatar Jun 12 '25 07:06 tormath1

Hi @tormath1, thanks for checking in! I closed the issue for now since the PR isn't live yet, but I’m still interested in this feature. I plan to push the custom-kernel-integrity-check branch by this upcoming Monday or within that week, and I’ll reopen the issue with the proper link then.

adharsh277 avatar Jun 13 '25 08:06 adharsh277