Difference between revisions of "Signed kernel module support"

From Funtoo
Jump to navigation Jump to search
(fixing pathing on a command to be absolute, add module.sig_enforce boot.conf example)
Line 11: Line 11:
{{console|body=
{{console|body=
###i## openssl req -new -nodes -sha256 -x509 -newkey rsa:2048 -days 36500 -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3 -subj '/CN=Funtoo Secure Boot/' -out /etc/kernel/certs/linux/signing_key.cert -keyout /etc/kernel/certs/linux/signing_key.asc
###i## openssl req -new -nodes -sha256 -x509 -newkey rsa:2048 -days 36500 -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3 -subj '/CN=Funtoo Secure Boot/' -out /etc/kernel/certs/linux/signing_key.cert -keyout /etc/kernel/certs/linux/signing_key.asc
###i## cat signing_key.asc signing_key.cert > signing_key.pem
###i## cat /etc/kernel/certs/linux/signing_key.asc /etc/kernel/certs/linux/signing_key.cert > /etc/kernel/certs/linux/signing_key.pem
###i## openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509
###i## openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509
}}
}}
Line 35: Line 35:
{{note|If module.sig_enforce is enabled supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load.}}
{{note|If module.sig_enforce is enabled supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load.}}


Example /etc/boot.conf enabling kernel module signature verification:


{{file|name=/etc/boot.conf|desc=module.sig_enforce boot.conf|body=
"Funtoo Linux genkernel signing enforced" {
kernel kernel[-v]
initrd initramfs[-v]
params += real_root=auto rootfstype=auto module.sig_enforce=1
}
}}
One that is added regenerate your Funtoo Grub config with:
{{console|body=
###i## ego boot
}}


== Manually signing modules ==
== Manually signing modules ==

Revision as of 06:22, January 8, 2023

Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel will be fixed. This allows the system to be "hardened", not using the unsigned kernel, or kernel modules to be loaded with a wrong key, to be loaded. Malicious kernel modules are a common system for rootkits to enter a Linux system.

When the Linux kernel is building with module signature verification support enabled, then you can use your own keys. We recommend the debian-sources kernel, just enabling the useflag "sign-modules".

root # echo "sys-kernel/debian-sources sign-modules" >> /etc/portage/package.use
root # mkdir -p /etc/kernel/certs/linux

We will manually generate the private/public key files using the x509.genkey key generation configuration file and the openssl command. Here is an example to generate the public/private key files:

root # openssl req -new -nodes -sha256 -x509 -newkey rsa:2048 -days 36500 -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3 -subj '/CN=Funtoo Secure Boot/' -out /etc/kernel/certs/linux/signing_key.cert -keyout /etc/kernel/certs/linux/signing_key.asc
root # cat /etc/kernel/certs/linux/signing_key.asc /etc/kernel/certs/linux/signing_key.cert > /etc/kernel/certs/linux/signing_key.pem
root # openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509

Create DER file to sign grub and SHIM (secure boot):

root # openssl x509 -in /etc/kernel/certs/linux/signing_key.cert -outform der -out /etc/kernel/certs/linux/signing_key.der

Fix permissions:

root # chmod -R 644 /etc/kernel/certs/linux/signing_key.pem


Now, build debian-sources with your own keys:

root # emerge sys-kernel/debian-sources


Optional: Enable module.sig_enforce=1

   Note

If module.sig_enforce is enabled supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load.

Example /etc/boot.conf enabling kernel module signature verification:

   /etc/boot.conf - module.sig_enforce boot.conf
"Funtoo Linux genkernel signing enforced" {
	kernel kernel[-v]
	initrd initramfs[-v]
	params += real_root=auto rootfstype=auto module.sig_enforce=1
}

One that is added regenerate your Funtoo Grub config with:

root # ego boot

Manually signing modules

If you ever need to manually sign a kernel module, you can use the scripts/sign-file script available in the Linux kernel source tree. It requires four arguments:

  1. The hash algorithm to use, such as sha512.
  2. The private key location.
  3. The certificate (which includes the public key) location.
  4. The kernel module to sign.


root # /usr/src/linux/scripts/sign-file sha512 /etc/kernel/certs/linux/signing_key.pem /etc/kernel/certs/linux/signing_key.x509 ${MODULE_KO}

ready to shim

Now that our system has a signed kernel and modules, we can load them up for secure boot using the fedora shim.