osresearch
commented
4 years ago The LSM loadpin changes the module loading behaviour, so it might be possible to extend for this sort of auth or to learn how to modify the kernel. (The signed module requirement somewhat obsoletes the default loadpin setup) https://www.kernel.org/doc/html/v5.6/admin-guide/LSM/LoadPin.html
The Linux kernel signed module support prevents modules from being loaded unless they are signed by a key on the kernel keyring. This works for most modules, although sometimes it might be useful to have a way to authorize loading a module for a single time. The kernel could produce a random nonce or the time of day could be used, the administrator signs the module plus the nonce, and the kernel verifies that the signature is validate and that the nonce matches (or that the timestamp if sufficiently fresh).
The timestamp-as-nonce fails if a local attacker, like Cher, can roll back time and replay the signed module again.