Signed kernel module support

From Funtoo
Revision as of 06:29, June 19, 2022 by Coffnix (talk | contribs)
Jump to navigation Jump to search

When the Linux kernel is building with module signature verification support enabled, then you can use your own keys. We recommend the debian-sources kernel, just enable the useflag "sign-modules".

root # echo "sys-kernel/debian-sources sign-modules" >> /etc/portage/package.use
root # mkdir -p /etc/kernel/certs/linux

If we want to use our own keys, you can use openssl to create a key pair (private key and public key). First, create a new file x509.genkey on directory /etc/kernel/certs/linux :

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
#O = Funtoo Corporation Inc
CN = Funtoo Linux
#emailAddress =

[ myexts ]

We will manually generate the private/public key files using the x509.genkey key generation configuration file and the openssl command. Here is an example to generate the public/private key files:

root # openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config /etc/kernel/certs/linux/x509.genkey -outform PEM -out /etc/kernel/certs/linux/signing_key.pem -keyout /etc/kernel/certs/linux/signing_key.pem
root # openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509

Fix permissions:

root # chmod -R 755 /etc/kernel

Now, build debian-sources with your own keys:

root # emerge sys-kernel/debian-sources

Optional: Enable module.sig_enforce=1


If module.sig_enforce is enabled supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load.