Difference between revisions of "Signed kernel module support"
(Blanked the page)
|Line 1:||Line 1:|
Revision as of 06:26, June 19, 2022
When the Linux kernel is building with module signature verification support enabled, then you can use your own keys. We recommend the debian-sources kernel, just enable the useflag "sign-modules".
root # echo "sys-kernel/debian-sources sign-modules" >> /etc/portage/package.use root # mkdir -p /etc/kernel/certs/linux
If we want to use our own keys, you can use openssl to create a key pair (private key and public key). First, create a new file x509.genkey on directory /etc/kernel/certs/linux :
[ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] #O = Funtoo Corporation Inc CN = Funtoo LiveCD #emailAddress = email@example.com [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid
We will manually generate the private/public key files using the x509.genkey key generation configuration file and the openssl command. Here is an example to generate the public/private key files:
root # openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config /etc/kernel/certs/linux/x509.genkey -outform PEM -out /etc/kernel/certs/linux/signing_key.pem -keyout /etc/kernel/certs/linux/signing_key.pem root # openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509
root # chmod -R 755 /etc/kernel
Now, build debian-sources with your own keys:
root # emerge sys-kernel/debian-sources
Optional: Enable module.sig_enforce=1
If module.sig_enforce is enabled supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load.