The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Signed kernel module support"
(Blanked the page) Tag: Blanking |
(po) |
||
| Line 1: | Line 1: | ||
When the Linux kernel is building with module signature verification support enabled, then you can use your own keys. We recommend the debian-sources kernel, just enable the useflag "sign-modules". | |||
{{console|body= | |||
###i## echo "sys-kernel/debian-sources sign-modules" >> /etc/portage/package.use | |||
###i## mkdir -p /etc/kernel/certs/linux | |||
}} | |||
If we want to use our own keys, you can use openssl to create a key pair (private key and public key). First, create a new file '''x509.genkey''' on directory '''/etc/kernel/certs/linux''' : | |||
{{file|name=/etc/kernel/certs/linux/x509.genkey|body= | |||
[ req ] | |||
default_bits = 4096 | |||
distinguished_name = req_distinguished_name | |||
prompt = no | |||
string_mask = utf8only | |||
x509_extensions = myexts | |||
[ req_distinguished_name ] | |||
#O = Funtoo Corporation Inc | |||
CN = Funtoo LiveCD | |||
#emailAddress = drobbins@funtoo.org | |||
[ myexts ] | |||
basicConstraints=critical,CA:FALSE | |||
keyUsage=digitalSignature | |||
subjectKeyIdentifier=hash | |||
authorityKeyIdentifier=keyid | |||
}} | |||
We will manually generate the private/public key files using the x509.genkey key generation configuration file and the openssl command. Here is an example to generate the public/private key files: | |||
{{console|body= | |||
###i## openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config /etc/kernel/certs/linux/x509.genkey -outform PEM -out /etc/kernel/certs/linux/signing_key.pem -keyout /etc/kernel/certs/linux/signing_key.pem | |||
###i## openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509 | |||
}} | |||
Fix permissions: | |||
{{console|body= | |||
###i## chmod -R 755 /etc/kernel | |||
}} | |||
Now, build debian-sources with your own keys: | |||
{{console|body= | |||
###i## emerge sys-kernel/debian-sources | |||
}} | |||
'''Optional:''' Enable ''' module.sig_enforce=1''' | |||
{{note|If module.sig_enforce is enabled supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load.}} | |||
Revision as of 06:26, June 19, 2022
When the Linux kernel is building with module signature verification support enabled, then you can use your own keys. We recommend the debian-sources kernel, just enable the useflag "sign-modules".
root # echo "sys-kernel/debian-sources sign-modules" >> /etc/portage/package.use root # mkdir -p /etc/kernel/certs/linux
If we want to use our own keys, you can use openssl to create a key pair (private key and public key). First, create a new file x509.genkey on directory /etc/kernel/certs/linux :
/etc/kernel/certs/linux/x509.genkey [ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
#O = Funtoo Corporation Inc
CN = Funtoo LiveCD
#emailAddress = drobbins@funtoo.org
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
We will manually generate the private/public key files using the x509.genkey key generation configuration file and the openssl command. Here is an example to generate the public/private key files:
root # openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config /etc/kernel/certs/linux/x509.genkey -outform PEM -out /etc/kernel/certs/linux/signing_key.pem -keyout /etc/kernel/certs/linux/signing_key.pem root # openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509
Fix permissions:
root # chmod -R 755 /etc/kernel
Now, build debian-sources with your own keys:
root # emerge sys-kernel/debian-sources
Optional: Enable module.sig_enforce=1
If module.sig_enforce is enabled supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load.