注意:
The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Coffnix:Script to sign kernel modules"
Jump to navigation
Jump to search
(Created page with "Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel kernel will be fixed. This allows the system to be...") |
m (Coffnix moved page Coffnix:Signed kernel module support to Coffnix:Script to sign kernel modules) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 36: | Line 36: | ||
</pre> | </pre> | ||
== Automate the signature of the modules == | |||
Create the directories: | |||
<console> | |||
###i## mkdir -p /etc/funtoo/scripts | |||
###i## mkdir -p /etc/funtoo/msv-sign | |||
</console> | |||
Create the config file, containing the list of modules to sign. Ex: '''app-emulation/virtualbox-modules''' | |||
<console> | |||
###i## cat /etc/funtoo/msv-sign/virtualbox-modules | |||
</console> | |||
<pre> | |||
vboxpci | |||
vboxnetadp | |||
vboxnetflt | |||
vboxdrv | |||
</pre> | |||
Create the script to sign the modules: | |||
<console> | |||
###i## cat /etc/funtoo/scripts/msv-sign.sh | |||
</console> | |||
<pre> | |||
#!/bin/bash | |||
if [ -z "${1}" ];then | |||
echo -e "ERROR: Please type name of ebuild. Exː \n\n # ${0} virtualbox-modules\n" | |||
exit 1 | |||
fi | |||
KERNEL_DIR="/usr/src/$(readlink /usr/src/linux)" | |||
MODULES_DIR="/lib/modules/$(readlink /usr/src/linux|sed s,linux-,,g)" | |||
while read MODULE;do | |||
# Sign modules | |||
MODULE_KO="$(find ${MODULES_DIR} -type f -name "${MODULE}.ko")" | |||
${KERNEL_DIR}/scripts/sign-file sha512 ${KERNEL_DIR}/certs/signing_key.pem ${KERNEL_DIR}/certs/signing_key.x509 ${MODULE_KO} | |||
# reload modules | |||
rmmod ${MODULE} 2> /dev/null | |||
modprobe ${MODULE} 2> /dev/null | |||
done < /etc/funtoo/msv-sign/${1} | |||
</pre> | |||
Run in debug modeː | |||
<console> | |||
###i## bash -x /etc/funtoo/scripts/msv-sign.sh virtualbox-modules | |||
</console> | |||
Verify signatureː | |||
<console> | |||
###i## modinfo vboxdrv | |||
</console> | |||
<pre> | |||
filename: /lib/modules/4.17.4-gentoo/misc/vboxdrv.ko | |||
version: 5.2.12 r122591 (0x00290001) | |||
license: GPL | |||
description: Oracle VM VirtualBox Support Driver | |||
author: Oracle Corporation | |||
srcversion: 63368184ED096B3022FD087 | |||
depends: | |||
retpoline: Y | |||
name: vboxdrv | |||
vermagic: 4.17.4-gentoo SMP mod_unload modversions | |||
sig_id: PKCS#7 | |||
signer: | |||
sig_key: | |||
sig_hashalgo: md4 | |||
signature: 30:82:02:9A:06:09:2A:86:48:86:F7:0D:01:07:02:A0:82:02:8B:30: | |||
82:02:87:02:01:01:31:0D:30:0B:06:09:60:86:48:01:65:03:04:02: | |||
03:30:0B:06:09:2A:86:48:86:F7:0D:01:07:01:31:82:02:64:30:82: | |||
02:60:02:01:01:30:3B:30:2E:31:2C:30:2A:06:03:55:04:03:0C:23: | |||
42:75:69:6C:64:20:74:69:6D:65:20:61:75:74:6F:67:65:6E:65:72: | |||
61:74:65:64:20:6B:65:72:6E:65:6C:20:6B:65:79:02:09:00:FB:8A: | |||
5E:14:40:AB:8F:36:30:0B:06:09:60:86:48:01:65:03:04:02:03:30: | |||
0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00:04:82:02:00:75:5D: | |||
F9:95:88:31:B8:FE:AD:53:6F:84:D8:9C:19:AE:77:36:BA:E7:0B:27: | |||
1F:5D:3A:22:78:94:BF:99:7F:31:87:65:88:17:F1:E9:C0:9C:87:2E: | |||
58:EE:3F:57:E4:3F:69:98:EB:A8:E4:6C:D9:FD:E1:66:D9:15:6E:36: | |||
AE:72:0C:CD:E4:D0:D4:89:F1:C0:3A:AD:CC:98:4C:2C:5A:90:86:21: | |||
B0:6C:9C:1D:DF:10:00:E0:33:BE:84:9A:00:D0:31:86:B1:B6:BD:42: | |||
08:1A:6C:2D:9E:C7:36:E1:90:24:C1:C9:41:54:27:AA:6E:B7:B0:D0: | |||
34:C6:16:46:76:5C:EF:31:AC:32:06:71:C2:AE:2E:D0:5A:97:9F:A3: | |||
25:A7:5B:46:A5:A0:B6:1F:A9:DA:D0:57:AB:95:A0:CB:AF:2C:32:CE: | |||
D5:8F:75:09:1D:81:7D:D2:E6:54:46:59:A5:78:D1:0A:F0:9B:B3:91: | |||
87:23:ED:78:B4:0A:9A:E0:3D:2A:9D:D4:12:93:7E:84:E7:8E:D1:DC: | |||
54:51:9E:23:58:FC:26:BF:13:F1:4A:02:18:4C:D9:D6:E4:D8:3B:14: | |||
93:72:32:AA:C3:9E:02:68:49:F7:B9:88:DF:9F:19:1F:83:75:5A:BA: | |||
08:FA:41:D7:98:79:94:E2:EB:2C:6A:09:7A:C0:AF:3A:55:DC:63:76: | |||
A8:1A:76:F9:3C:D0:D6:AB:01:7E:DA:B6:7C:30:C5:E1:8F:75:18:BA: | |||
59:4B:54:AF:B6:DA:E9:31:FB:50:DD:F0:B8:CA:79:FC:A4:25:AD:F0: | |||
86:26:15:34:11:A7:8F:B0:B3:10:22:D8:51:71:00:4B:D8:E4:FA:C2: | |||
18:D3:BF:6F:64:24:5A:5B:E6:A3:DD:BC:44:E6:91:07:2F:C6:70:66: | |||
C7:43:81:97:82:96:D8:BC:FA:9D:7C:4C:10:14:5D:6F:A3:F7:33:09: | |||
03:5D:1B:FC:D2:B2:19:C0:3C:6B:CA:E7:B9:72:E5:47:21:2A:21:81: | |||
3C:E0:D0:BF:65:82:74:F9:31:81:F1:15:36:7D:52:BA:D9:E6:7E:CE: | |||
1F:F2:73:57:52:7C:80:E9:47:98:88:8A:3B:B6:3C:71:FA:46:5E:9C: | |||
83:CF:05:1A:5D:54:D0:84:C1:A3:5F:15:BB:C4:6B:F2:A2:BE:49:38: | |||
B6:98:1B:B5:D3:98:88:00:14:DC:AF:81:01:7C:D6:22:A8:97:52:86: | |||
A4:A0:EF:23:A8:2C:7A:CC:CF:0C:86:E0:2D:3C:EC:8F:D8:A6:A4:E8: | |||
EC:BF:5A:4C:BF:D7:D9:19:29:A9:B3:02:6E:0B:08:AB:F7:32:02:EF: | |||
1D:0B:04:D7:55:E7:BD:B3:3C:19 | |||
parm: force_async_tsc:force the asynchronous TSC mode (int) | |||
</pre> | |||
Latest revision as of 07:21, June 19, 2022
Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel kernel will be fixed. This allows the system to be "hardened", not using the unsigned kernel, or kernel modules to be loaded with a wrong key, to be loaded. Malicious kernel modules are a common system for rootkits to enter a Linux system.
If you want to sign an embedded module in the kernel:
--- Enable loadable module support
[*] Module signature verification
[*] Require modules to be validly signed
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
Manually sign modules, for example virtualbox modules ( (app-emulation/virtualbox-modules):
for i in $(find /lib/modules/$(uname -r) -iname "*vbox*.ko"); do
perl /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/signing_key.priv /usr/src/linux/signing_key.x509 $i
done
If you use kernel 4.3.3 or higher:
MODULES_DIR="/lib/modules/"
for i in $(find ${MODULES_DIR} -maxdepth 1 -type d|grep -vw "${MODULES_DIR}"|sed s,'/lib/modules/',,g);do
KERNEL_DIR="/usr/src/linux-${i}"
echo -e "Assinando módulo para kernel ${i}..."
for z in $(find /lib/modules/${i} -type f -iname "*vbox*.ko");do
${KERNEL_DIR}/scripts/sign-file sha512 ${KERNEL_DIR}/certs/signing_key.pem ${KERNEL_DIR}/certs/signing_key.x509 ${z}
done
done
Automate the signature of the modules
Create the directories:
root # mkdir -p /etc/funtoo/scripts root # mkdir -p /etc/funtoo/msv-sign
Create the config file, containing the list of modules to sign. Ex: app-emulation/virtualbox-modules
root # cat /etc/funtoo/msv-sign/virtualbox-modules
vboxpci vboxnetadp vboxnetflt vboxdrv
Create the script to sign the modules:
root # cat /etc/funtoo/scripts/msv-sign.sh
#!/bin/bash
if [ -z "${1}" ];then
echo -e "ERROR: Please type name of ebuild. Exː \n\n # ${0} virtualbox-modules\n"
exit 1
fi
KERNEL_DIR="/usr/src/$(readlink /usr/src/linux)"
MODULES_DIR="/lib/modules/$(readlink /usr/src/linux|sed s,linux-,,g)"
while read MODULE;do
# Sign modules
MODULE_KO="$(find ${MODULES_DIR} -type f -name "${MODULE}.ko")"
${KERNEL_DIR}/scripts/sign-file sha512 ${KERNEL_DIR}/certs/signing_key.pem ${KERNEL_DIR}/certs/signing_key.x509 ${MODULE_KO}
# reload modules
rmmod ${MODULE} 2> /dev/null
modprobe ${MODULE} 2> /dev/null
done < /etc/funtoo/msv-sign/${1}
Run in debug modeː
root # bash -x /etc/funtoo/scripts/msv-sign.sh virtualbox-modules
Verify signatureː
root # modinfo vboxdrv
filename: /lib/modules/4.17.4-gentoo/misc/vboxdrv.ko
version: 5.2.12 r122591 (0x00290001)
license: GPL
description: Oracle VM VirtualBox Support Driver
author: Oracle Corporation
srcversion: 63368184ED096B3022FD087
depends:
retpoline: Y
name: vboxdrv
vermagic: 4.17.4-gentoo SMP mod_unload modversions
sig_id: PKCS#7
signer:
sig_key:
sig_hashalgo: md4
signature: 30:82:02:9A:06:09:2A:86:48:86:F7:0D:01:07:02:A0:82:02:8B:30:
82:02:87:02:01:01:31:0D:30:0B:06:09:60:86:48:01:65:03:04:02:
03:30:0B:06:09:2A:86:48:86:F7:0D:01:07:01:31:82:02:64:30:82:
02:60:02:01:01:30:3B:30:2E:31:2C:30:2A:06:03:55:04:03:0C:23:
42:75:69:6C:64:20:74:69:6D:65:20:61:75:74:6F:67:65:6E:65:72:
61:74:65:64:20:6B:65:72:6E:65:6C:20:6B:65:79:02:09:00:FB:8A:
5E:14:40:AB:8F:36:30:0B:06:09:60:86:48:01:65:03:04:02:03:30:
0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00:04:82:02:00:75:5D:
F9:95:88:31:B8:FE:AD:53:6F:84:D8:9C:19:AE:77:36:BA:E7:0B:27:
1F:5D:3A:22:78:94:BF:99:7F:31:87:65:88:17:F1:E9:C0:9C:87:2E:
58:EE:3F:57:E4:3F:69:98:EB:A8:E4:6C:D9:FD:E1:66:D9:15:6E:36:
AE:72:0C:CD:E4:D0:D4:89:F1:C0:3A:AD:CC:98:4C:2C:5A:90:86:21:
B0:6C:9C:1D:DF:10:00:E0:33:BE:84:9A:00:D0:31:86:B1:B6:BD:42:
08:1A:6C:2D:9E:C7:36:E1:90:24:C1:C9:41:54:27:AA:6E:B7:B0:D0:
34:C6:16:46:76:5C:EF:31:AC:32:06:71:C2:AE:2E:D0:5A:97:9F:A3:
25:A7:5B:46:A5:A0:B6:1F:A9:DA:D0:57:AB:95:A0:CB:AF:2C:32:CE:
D5:8F:75:09:1D:81:7D:D2:E6:54:46:59:A5:78:D1:0A:F0:9B:B3:91:
87:23:ED:78:B4:0A:9A:E0:3D:2A:9D:D4:12:93:7E:84:E7:8E:D1:DC:
54:51:9E:23:58:FC:26:BF:13:F1:4A:02:18:4C:D9:D6:E4:D8:3B:14:
93:72:32:AA:C3:9E:02:68:49:F7:B9:88:DF:9F:19:1F:83:75:5A:BA:
08:FA:41:D7:98:79:94:E2:EB:2C:6A:09:7A:C0:AF:3A:55:DC:63:76:
A8:1A:76:F9:3C:D0:D6:AB:01:7E:DA:B6:7C:30:C5:E1:8F:75:18:BA:
59:4B:54:AF:B6:DA:E9:31:FB:50:DD:F0:B8:CA:79:FC:A4:25:AD:F0:
86:26:15:34:11:A7:8F:B0:B3:10:22:D8:51:71:00:4B:D8:E4:FA:C2:
18:D3:BF:6F:64:24:5A:5B:E6:A3:DD:BC:44:E6:91:07:2F:C6:70:66:
C7:43:81:97:82:96:D8:BC:FA:9D:7C:4C:10:14:5D:6F:A3:F7:33:09:
03:5D:1B:FC:D2:B2:19:C0:3C:6B:CA:E7:B9:72:E5:47:21:2A:21:81:
3C:E0:D0:BF:65:82:74:F9:31:81:F1:15:36:7D:52:BA:D9:E6:7E:CE:
1F:F2:73:57:52:7C:80:E9:47:98:88:8A:3B:B6:3C:71:FA:46:5E:9C:
83:CF:05:1A:5D:54:D0:84:C1:A3:5F:15:BB:C4:6B:F2:A2:BE:49:38:
B6:98:1B:B5:D3:98:88:00:14:DC:AF:81:01:7C:D6:22:A8:97:52:86:
A4:A0:EF:23:A8:2C:7A:CC:CF:0C:86:E0:2D:3C:EC:8F:D8:A6:A4:E8:
EC:BF:5A:4C:BF:D7:D9:19:29:A9:B3:02:6E:0B:08:AB:F7:32:02:EF:
1D:0B:04:D7:55:E7:BD:B3:3C:19
parm: force_async_tsc:force the asynchronous TSC mode (int)