Coffnix:Script to sign kernel modules

From Funtoo
Revision as of 20:00, June 28, 2018 by Coffnix (talk | contribs) (Created page with "Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel kernel will be fixed. This allows the system to be...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel kernel will be fixed. This allows the system to be "hardened", not using the unsigned kernel, or kernel modules to be loaded with a wrong key, to be loaded. Malicious kernel modules are a common system for rootkits to enter a Linux system.

If you want to sign an embedded module in the kernel: 

--- Enable loadable module support
[*]   Module signature verification
[*]     Require modules to be validly signed
[*]     Automatically sign all modules
      Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->


Manually sign modules, for example virtualbox modules ( (app-emulation/virtualbox-modules): 

for i in $(find /lib/modules/$(uname -r) -iname "*vbox*.ko"); do
     perl /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/signing_key.priv /usr/src/linux/signing_key.x509 $i
done


If you use kernel 4.3.3 or higher: 

MODULES_DIR="/lib/modules/"
for i in $(find ${MODULES_DIR} -maxdepth 1 -type d|grep -vw "${MODULES_DIR}"|sed s,'/lib/modules/',,g);do
    KERNEL_DIR="/usr/src/linux-${i}"
    echo -e "Assinando módulo para kernel ${i}..."
    for z in $(find /lib/modules/${i} -type f -iname "*vbox*.ko");do
        ${KERNEL_DIR}/scripts/sign-file sha512 ${KERNEL_DIR}/certs/signing_key.pem ${KERNEL_DIR}/certs/signing_key.x509 ${z}
    done
done

Source: 

https://wiki.gentoo.org/wiki/Signed_kernel_module_support
Retrieved from "https://www.funtoo.org/index.php?title=Coffnix:Script_to_sign_kernel_modules&oldid=21196"