Difference between revisions of "Coffnix:Script to sign kernel modules"

From Funtoo
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
(No difference)

Latest revision as of 07:21, June 19, 2022

Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel kernel will be fixed. This allows the system to be "hardened", not using the unsigned kernel, or kernel modules to be loaded with a wrong key, to be loaded. Malicious kernel modules are a common system for rootkits to enter a Linux system.

If you want to sign an embedded module in the kernel:

--- Enable loadable module support
[*]   Module signature verification
[*]     Require modules to be validly signed
[*]     Automatically sign all modules
      Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->


Manually sign modules, for example virtualbox modules ( (app-emulation/virtualbox-modules):

for i in $(find /lib/modules/$(uname -r) -iname "*vbox*.ko"); do
     perl /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/signing_key.priv /usr/src/linux/signing_key.x509 $i
done


If you use kernel 4.3.3 or higher:

MODULES_DIR="/lib/modules/"
for i in $(find ${MODULES_DIR} -maxdepth 1 -type d|grep -vw "${MODULES_DIR}"|sed s,'/lib/modules/',,g);do
    KERNEL_DIR="/usr/src/linux-${i}"
    echo -e "Assinando módulo para kernel ${i}..."
    for z in $(find /lib/modules/${i} -type f -iname "*vbox*.ko");do
        ${KERNEL_DIR}/scripts/sign-file sha512 ${KERNEL_DIR}/certs/signing_key.pem ${KERNEL_DIR}/certs/signing_key.x509 ${z}
    done
done


Automate the signature of the modules

Create the directories:

root #  mkdir -p /etc/funtoo/scripts
root #  mkdir -p /etc/funtoo/msv-sign


Create the config file, containing the list of modules to sign. Ex: app-emulation/virtualbox-modules

root #  cat /etc/funtoo/msv-sign/virtualbox-modules
vboxpci
vboxnetadp
vboxnetflt
vboxdrv


Create the script to sign the modules:

root #  cat /etc/funtoo/scripts/msv-sign.sh
#!/bin/bash

if [ -z "${1}" ];then
        echo -e "ERROR: Please type name of ebuild. Exː \n\n # ${0} virtualbox-modules\n"
        exit 1
fi

KERNEL_DIR="/usr/src/$(readlink /usr/src/linux)"
MODULES_DIR="/lib/modules/$(readlink /usr/src/linux|sed s,linux-,,g)"

while read MODULE;do
        # Sign modules
        MODULE_KO="$(find ${MODULES_DIR} -type f -name "${MODULE}.ko")"
        ${KERNEL_DIR}/scripts/sign-file sha512 ${KERNEL_DIR}/certs/signing_key.pem ${KERNEL_DIR}/certs/signing_key.x509 ${MODULE_KO}

        # reload modules
        rmmod ${MODULE} 2> /dev/null
        modprobe ${MODULE} 2> /dev/null

done < /etc/funtoo/msv-sign/${1}


Run in debug modeː

root #  bash -x /etc/funtoo/scripts/msv-sign.sh virtualbox-modules


Verify signatureː

root #  modinfo vboxdrv
filename:       /lib/modules/4.17.4-gentoo/misc/vboxdrv.ko
version:        5.2.12 r122591 (0x00290001)
license:        GPL
description:    Oracle VM VirtualBox Support Driver
author:         Oracle Corporation
srcversion:     63368184ED096B3022FD087
depends:        
retpoline:      Y
name:           vboxdrv
vermagic:       4.17.4-gentoo SMP mod_unload modversions 
sig_id:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   md4
signature:      30:82:02:9A:06:09:2A:86:48:86:F7:0D:01:07:02:A0:82:02:8B:30:
                82:02:87:02:01:01:31:0D:30:0B:06:09:60:86:48:01:65:03:04:02:
                03:30:0B:06:09:2A:86:48:86:F7:0D:01:07:01:31:82:02:64:30:82:
                02:60:02:01:01:30:3B:30:2E:31:2C:30:2A:06:03:55:04:03:0C:23:
                42:75:69:6C:64:20:74:69:6D:65:20:61:75:74:6F:67:65:6E:65:72:
                61:74:65:64:20:6B:65:72:6E:65:6C:20:6B:65:79:02:09:00:FB:8A:
                5E:14:40:AB:8F:36:30:0B:06:09:60:86:48:01:65:03:04:02:03:30:
                0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00:04:82:02:00:75:5D:
                F9:95:88:31:B8:FE:AD:53:6F:84:D8:9C:19:AE:77:36:BA:E7:0B:27:
                1F:5D:3A:22:78:94:BF:99:7F:31:87:65:88:17:F1:E9:C0:9C:87:2E:
                58:EE:3F:57:E4:3F:69:98:EB:A8:E4:6C:D9:FD:E1:66:D9:15:6E:36:
                AE:72:0C:CD:E4:D0:D4:89:F1:C0:3A:AD:CC:98:4C:2C:5A:90:86:21:
                B0:6C:9C:1D:DF:10:00:E0:33:BE:84:9A:00:D0:31:86:B1:B6:BD:42:
                08:1A:6C:2D:9E:C7:36:E1:90:24:C1:C9:41:54:27:AA:6E:B7:B0:D0:
                34:C6:16:46:76:5C:EF:31:AC:32:06:71:C2:AE:2E:D0:5A:97:9F:A3:
                25:A7:5B:46:A5:A0:B6:1F:A9:DA:D0:57:AB:95:A0:CB:AF:2C:32:CE:
                D5:8F:75:09:1D:81:7D:D2:E6:54:46:59:A5:78:D1:0A:F0:9B:B3:91:
                87:23:ED:78:B4:0A:9A:E0:3D:2A:9D:D4:12:93:7E:84:E7:8E:D1:DC:
                54:51:9E:23:58:FC:26:BF:13:F1:4A:02:18:4C:D9:D6:E4:D8:3B:14:
                93:72:32:AA:C3:9E:02:68:49:F7:B9:88:DF:9F:19:1F:83:75:5A:BA:
                08:FA:41:D7:98:79:94:E2:EB:2C:6A:09:7A:C0:AF:3A:55:DC:63:76:
                A8:1A:76:F9:3C:D0:D6:AB:01:7E:DA:B6:7C:30:C5:E1:8F:75:18:BA:
                59:4B:54:AF:B6:DA:E9:31:FB:50:DD:F0:B8:CA:79:FC:A4:25:AD:F0:
                86:26:15:34:11:A7:8F:B0:B3:10:22:D8:51:71:00:4B:D8:E4:FA:C2:
                18:D3:BF:6F:64:24:5A:5B:E6:A3:DD:BC:44:E6:91:07:2F:C6:70:66:
                C7:43:81:97:82:96:D8:BC:FA:9D:7C:4C:10:14:5D:6F:A3:F7:33:09:
                03:5D:1B:FC:D2:B2:19:C0:3C:6B:CA:E7:B9:72:E5:47:21:2A:21:81:
                3C:E0:D0:BF:65:82:74:F9:31:81:F1:15:36:7D:52:BA:D9:E6:7E:CE:
                1F:F2:73:57:52:7C:80:E9:47:98:88:8A:3B:B6:3C:71:FA:46:5E:9C:
                83:CF:05:1A:5D:54:D0:84:C1:A3:5F:15:BB:C4:6B:F2:A2:BE:49:38:
                B6:98:1B:B5:D3:98:88:00:14:DC:AF:81:01:7C:D6:22:A8:97:52:86:
                A4:A0:EF:23:A8:2C:7A:CC:CF:0C:86:E0:2D:3C:EC:8F:D8:A6:A4:E8:
                EC:BF:5A:4C:BF:D7:D9:19:29:A9:B3:02:6E:0B:08:AB:F7:32:02:EF:
                1D:0B:04:D7:55:E7:BD:B3:3C:19
parm:           force_async_tsc:force the asynchronous TSC mode (int)