feat: support optionally disabling module sig verification

Support disabling kernel module signature verification.
Note that this does not work when SecureBoot is enabled.

Fixes: #11989

Signed-off-by: Noel Georgi <git@frezbo.dev>

Author: frezbo

api/resource/definitions/runtime/runtime.proto

@@ -156,6 +156,7 @@ message SecurityStateSpec {
   talos.resource.definitions.enums.RuntimeSELinuxState se_linux_state = 4;
   bool booted_with_uki = 5;
   talos.resource.definitions.enums.RuntimeFIPSState fips_state = 6;
+  bool module_signature_enforced = 7;
 }
 
 // UniqueMachineTokenSpec is the spec for the machine unique token. Token can be empty if machine wasn't assigned any.

hack/release.toml

@@ -119,6 +119,14 @@ Additionally `talosctl image cache-create` has some changes:
     * multiple instances (`--platform=linux/amd64 --platform=linux/arm64`);
 """
 
+    [notes.kernel-module]
+        title = "Kernel Module"
+        description = """\
+Talos now supports optionally disabling kernel module signature verification by setting `module.sig_enforce=0` kernel parameter.
+By default module signature verification is enabled (`module.sig_enforce=1`).
+When using Factory or Imager supply as `-module.sig_enfore module.sig_enforce=0` kernel parameters to disable module signature enforcement.
+"""
+
 [make_deps]
 
     [make_deps.tools]

internal/app/machined/pkg/controllers/runtime/security_state.go

@@ -21,6 +21,7 @@ import (
 	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/foxboron/go-uefi/efi"
+	"github.com/siderolabs/go-procfs/procfs"
 	"go.uber.org/zap"
 
 	machineruntime "github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
@@ -65,7 +66,7 @@ func (ctrl *SecurityStateController) Outputs() []controller.Output {
 
 // Run implements controller.Controller interface.
 //
-//nolint:gocyclo
+//nolint:gocyclo,cyclop
 func (ctrl *SecurityStateController) Run(ctx context.Context, r controller.Runtime, _ *zap.Logger) error {
 	for {
 		select {
@@ -87,6 +88,7 @@ func (ctrl *SecurityStateController) Run(ctx context.Context, r controller.Runti
 		var (
 			secureBootState          bool
 			bootedWithUKI            bool
+			moduleSignatureEnforced  bool
 			pcrSigningKeyFingerprint string
 		)
 
@@ -133,6 +135,11 @@ func (ctrl *SecurityStateController) Run(ctx context.Context, r controller.Runti
 			return fmt.Errorf("failed to get SELinux state: %w", err)
 		}
 
+		moduleSignatureEnforcedInfo := procfs.ProcCmdline().Get(constants.KernelParamEnforceModuleSigVerify).First()
+		if moduleSignatureEnforcedInfo != nil && *moduleSignatureEnforcedInfo == "1" {
+			moduleSignatureEnforced = true
+		}
+
 		fipsState := runtimeres.FIPSStateDisabled
 
 		if fipsmode.Enabled() {
@@ -149,6 +156,7 @@ func (ctrl *SecurityStateController) Run(ctx context.Context, r controller.Runti
 			state.TypedSpec().SELinuxState = selinuxState
 			state.TypedSpec().FIPSState = fipsState
 			state.TypedSpec().BootedWithUKI = bootedWithUKI
+			state.TypedSpec().ModuleSignatureEnforced = moduleSignatureEnforced
 
 			return nil
 		}); err != nil {

internal/integration/api/security.go

@@ -0,0 +1,66 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+//go:build integration_api
+
+package api
+
+import (
+	"context"
+	"time"
+
+	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/resource/rtestutils"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/siderolabs/talos/internal/integration/base"
+	"github.com/siderolabs/talos/pkg/machinery/client"
+	runtimeres "github.com/siderolabs/talos/pkg/machinery/resources/runtime"
+)
+
+// SecuritySuite verifies the security state resource.
+type SecuritySuite struct {
+	base.APISuite
+
+	ctx       context.Context //nolint:containedctx
+	ctxCancel context.CancelFunc
+}
+
+// SuiteName returns the name of the suite.
+func (suite *SecuritySuite) SuiteName() string {
+	return "api.SecuritySuite"
+}
+
+// SetupTest sets up the test.
+func (suite *SecuritySuite) SetupTest() {
+	// make sure API calls have timeout
+	suite.ctx, suite.ctxCancel = context.WithTimeout(context.Background(), 1*time.Minute)
+
+	if suite.Cluster == nil || suite.Cluster.Provisioner() != base.ProvisionerQEMU {
+		suite.T().Skip("skipping Security test since provisioner is not qemu")
+	}
+}
+
+// TearDownTest tears down the test.
+func (suite *SecuritySuite) TearDownTest() {
+	if suite.ctxCancel != nil {
+		suite.ctxCancel()
+	}
+}
+
+// TestSecurityState verifies that the security state resource is present and has valid values.
+func (suite *SecuritySuite) TestSecurityState() {
+	node := suite.RandomDiscoveredNodeInternalIP()
+	ctx := client.WithNode(suite.ctx, node)
+
+	rtestutils.AssertResources(ctx, suite.T(), suite.Client.COSI, []resource.ID{runtimeres.SecurityStateID},
+		func(r *runtimeres.SecurityState, asrt *assert.Assertions) {
+			asrt.True(r.TypedSpec().ModuleSignatureEnforced, "module signature enforcement should be enabled")
+		},
+	)
+}
+
+func init() {
+	allSuites = append(allSuites, &SecuritySuite{})
+}

internal/pkg/install/install.go

@@ -160,6 +160,7 @@ func RunInstallerContainer(
 		constants.KernelParamAuditdDisabled,
 		constants.KernelParamDashboardDisabled,
 		constants.KernelParamNetIfnames,
+		constants.KernelParamEnforceModuleSigVerify,
 	} {
 		if c := procfs.ProcCmdline().Get(preservedArg).First(); c != nil {
 			args = append(args, "--extra-kernel-arg", fmt.Sprintf("%s=%s", preservedArg, *c))

pkg/machinery/api/resource/definitions/runtime/runtime.pb.go

@@ -159,6 +159,10 @@ const (
 	// This param is injected by Equinix Metal and depends on the device ID and datacenter.
 	KernelParamEquinixMetalEvents = "em.events_url"
 
+	// KernelParamEnforceModuleSigVerify is the kernel parameter name to specify module signature verification enforcement.
+	// see https://github.com/siderolabs/talos/issues/11989
+	KernelParamEnforceModuleSigVerify = "module.sig_enforce"
+
 	// NewRoot is the path where the switchroot target is mounted.
 	NewRoot = "/root"
 

pkg/machinery/api/resource/definitions/runtime/runtime_vtproto.pb.go

@@ -286,3 +286,15 @@ func (q Quirks) SupportsEmbeddedConfig() bool {
 
 	return q.v.GTE(minTalosVersionEmbeddedConfig)
 }
+
+var minTalosVersionDisableModSigVerify = semver.MustParse("1.12.0")
+
+// SupportsDisablingModuleSignatureVerification returns true if the Talos version supports disabling module signature verification.
+func (q Quirks) SupportsDisablingModuleSignatureVerification() bool {
+	// if the version doesn't parse, we assume it's latest Talos
+	if q.v == nil {
+		return true
+	}
+
+	return q.v.GTE(minTalosVersionDisableModSigVerify)
+}

pkg/machinery/constants/constants.go

@@ -48,6 +48,10 @@ func DefaultArgs(quirks quirks.Quirks) []string {
 		result = append(result, constants.KernelParamSELinux+"=1")
 	}
 
+	if quirks.SupportsDisablingModuleSignatureVerification() {
+		result = append(result, constants.KernelParamEnforceModuleSigVerify+"=1") // see https://github.com/siderolabs/talos/issues/11989
+	}
+
 	return result
 }