Do not keep it at /usr/src/linux on production systems as malware can then easily use this key to sign the malicious kernel modules (such as rootkits) and compromise the system further. The private key, stored as /certs/signing_key.pem, needs to be moved to a secure location (unless you will be creating new keys for new kernels, in which case the file can be removed). Once the kernel boots and we have validated that the signed kernel module support works, it is important to correctly handle the keys themselves. Root # modinfo -F signer modulename Administering kernel module signatures X509.genkey is located at /usr/src/linux/certs/x509.genkey.
#LINUX KERNEL MODULES VERIFICATION#
Currently only RSA keys are supported, but support for ECDSA signature verification was added in 2021. The following command, taken from kernel/Makefile, creates such a key pair. If we want to use our own keys, you can use openssl to create a key pair (private key and public key). At the end of the build process, you will notice that /certs/signing_key.pem and signing_key.x509 will be available on the root of the Linux kernel sources. If you want the Linux kernel build infrastructure to create it for you, just continue as you always do with a make and make modules_install. When the Linux kernel is building with module signature verification support enabled, then you can use your own keys or have the Linux kernel build infrastructure create a set for you. When building the Linux kernel, the kernel modules will not be signed automatically unless you select Automatically sign all modules ( CONFIG_MODULE_SIG_ALL).įinally, we need to select the hash algorithm to use with the cryptographic signature. Another way of enabling this strict approach is to set the kernel boot option module.sig_enforce=1. In the above example, the strict approach is used by selecting Require modules to be validly signed ( CONFIG_MODULE_SIG_FORCE). With the strict approach, a valid signature must be present. By default, the permissive approach is used, which means that the Linux kernel module either has to have a valid signature, or no signature. It supports two approaches on signed module support: a rather permissive one and a strict one. The option Module signature verification ( CONFIG_MODULE_SIG) enables the module signature verification in the Linux kernel.
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) -> You can find the necessary options under Enable loadable module support. Module signature verification is a kernel feature, so has to be enabled through the Linux kernel configuration. Ĭonfiguring module signature verification The certificates and signing files used to manually sign modules are available at. Unless you want to use your own keypair, this is all that has to be done to enable kernel module support.
2.4 Distributing the kernel and modulesĮnabling support is a matter of toggling a few settings in the Linux kernel configuration.2.3 Automatically signing kernel modules (Portage).2 Administering kernel module signatures.1.4 Alternative signed module validation check.
0 kommentar(er)
