Difference between revisions of "Coffnix:Script to sign kernel modules"

From Funtoo
Jump to navigation Jump to search
(Created page with "Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel kernel will be fixed. This allows the system to be...")
(No difference)

Revision as of 20:00, June 28, 2018

Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel kernel will be fixed. This allows the system to be "hardened", not using the unsigned kernel, or kernel modules to be loaded with a wrong key, to be loaded. Malicious kernel modules are a common system for rootkits to enter a Linux system.

If you want to sign an embedded module in the kernel:

--- Enable loadable module support
[*]   Module signature verification
[*]     Require modules to be validly signed
[*]     Automatically sign all modules
      Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->


Manually sign modules, for example virtualbox modules ( (app-emulation/virtualbox-modules):

for i in $(find /lib/modules/$(uname -r) -iname "*vbox*.ko"); do
     perl /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/signing_key.priv /usr/src/linux/signing_key.x509 $i
done


If you use kernel 4.3.3 or higher:

MODULES_DIR="/lib/modules/"
for i in $(find ${MODULES_DIR} -maxdepth 1 -type d|grep -vw "${MODULES_DIR}"|sed s,'/lib/modules/',,g);do
    KERNEL_DIR="/usr/src/linux-${i}"
    echo -e "Assinando módulo para kernel ${i}..."
    for z in $(find /lib/modules/${i} -type f -iname "*vbox*.ko");do
        ${KERNEL_DIR}/scripts/sign-file sha512 ${KERNEL_DIR}/certs/signing_key.pem ${KERNEL_DIR}/certs/signing_key.x509 ${z}
    done
done

Source:

https://wiki.gentoo.org/wiki/Signed_kernel_module_support