The Linux kernel may not be quite as secure as it should be
Kernel developers have gracefully accepted suggestions concerning release signing process
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A policy and process overview of theLinuxkernel has identified some “potential pain points” in the handling and signing process of thesecurity keysfor the Linux kernel.
The review of the kernel teams’ processes for signing releases and for the policies and procedures for the handling of the signing keys was sought by theLinux Foundationand conducted bycybersecurityexperts at the Open Source Technology Improvement Fund (OSTIF) and Trail of Bits.
“This review resulted in seven recommendations that can help improve the robustness of the security and use of the signing keys for the Linux Kernel,” notesOSTIF in its report.
In addition to the recommendation, the report notes that Trail of Bits suggested that kernel developers should flesh out and update the documentation on the procedures and policies in order to help organizations wrap their heads around the current practices.
Key issues
In addition to highlighting the shortcomings, the report also included a series of recommended mitigations as well.
Notably, the Linux Foundation kernel team members, more or less agreed to most of the suggestions, except for one that goes against the principles of the wider open source community.
The report pointed out that the kernel doesn’t enforce the use of smart cards to store private key material used for GPG or SSH on a separate smart card device for individuals with commit rights on key Linux kernel repositories.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Furthermore, the Linux Foundation’s recommended smartcard Nitrokey doesn’t support touch activation, which the report argues is much better than the passphrase-only protected Nitrokey.
The report notes that the Linux Foundation kernel team members responded to these suggestions by expressing their inability to switch toYubikeywith touch activation, since it is notopen sourceand can’t be trusted for securing critical infrastructure.
However, the developers said they might update their policies to recommend that the current Nitrokeys be physically removed from the administrator’s computer when not in use.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
This new phishing strategy utilizes GitHub comments to distribute malware
Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’
