Kernel Log - Coming in 3.7 (Part 3): Infrastructure
Linux 3.7 can sign kernel modules and verify those signatures and, therefore, the integrity of the modules before loading them (1, 2, 3, 4, 5, 6, 7). Some enterprise distributions have had similar features for a while – for example, to ensure that the modules used for troubleshooting are really from the distribution kernel. Developers have been working on integrating the functionality into Linux as some distributions want to load only signed kernel modules when booted with UEFI secure boot – this is now possible with the integrated code.
Another new feature is the integrity appraisal extension for the Integrity Measurement Architecture (IMA), which the kernel has supported for quite some time now (1, 2). IMA can store signed hashes for files and use them to recognise when binaries from the Linux installation have been changed.