Difference between revisions of "Signed kernel module support"

From Funtoo
Jump to navigation Jump to search
(po)
Line 18: Line 18:
[ req_distinguished_name ]
[ req_distinguished_name ]
#O = Funtoo Corporation Inc
#O = Funtoo Corporation Inc
CN = Funtoo LiveCD
CN = Funtoo Linux
#emailAddress = drobbins@funtoo.org
#emailAddress = drobbins@funtoo.org



Revision as of 06:29, June 19, 2022

When the Linux kernel is building with module signature verification support enabled, then you can use your own keys. We recommend the debian-sources kernel, just enable the useflag "sign-modules".

root # echo "sys-kernel/debian-sources sign-modules" >> /etc/portage/package.use
root # mkdir -p /etc/kernel/certs/linux


If we want to use our own keys, you can use openssl to create a key pair (private key and public key). First, create a new file x509.genkey on directory /etc/kernel/certs/linux :

   /etc/kernel/certs/linux/x509.genkey
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
#O = Funtoo Corporation Inc
CN = Funtoo Linux
#emailAddress = drobbins@funtoo.org

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid


We will manually generate the private/public key files using the x509.genkey key generation configuration file and the openssl command. Here is an example to generate the public/private key files:

root # openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config /etc/kernel/certs/linux/x509.genkey -outform PEM -out /etc/kernel/certs/linux/signing_key.pem -keyout /etc/kernel/certs/linux/signing_key.pem
root # openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509


Fix permissions:

root # chmod -R 755 /etc/kernel


Now, build debian-sources with your own keys:

root # emerge sys-kernel/debian-sources


Optional: Enable module.sig_enforce=1

   Note

If module.sig_enforce is enabled supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load.