The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Signed kernel module support"
(adding advance module signing and verification scripts) |
|||
| Line 40: | Line 40: | ||
{{console|body= | {{console|body= | ||
###i## /usr/src/linux/scripts/sign-file sha512 /etc/kernel/certs/linux/signing_key.pem /etc/kernel/certs/linux/signing_key.x509 ${MODULE_KO} | ###i## /usr/src/linux/scripts/sign-file sha512 /etc/kernel/certs/linux/signing_key.pem /etc/kernel/certs/linux/signing_key.x509 ${MODULE_KO} | ||
}} | |||
=== Advanced Module Signing and Verification Scripts === | |||
{{note| Only run these scripts once booted into a debian-sources kernel that has already been compiled with the '''sign-modules''' USE flag}} | |||
==== Module Signing ==== | |||
Here is an experimental but well tested script to use to locally automate the signing of kernel modules with your kernel module certificate a key: | |||
{{file|name=sign_out_of_tree_modules.sh|lang=Shell|desc=Kernel module signing script|body= | |||
#!/bin/bash | |||
SIGNING_HASH_ALGO="sha512" | |||
SIGNING_PRIVATE_KEY="/etc/kernel/certs/linux/signing_key.pem" | |||
SIGNING_PUBLIC_KEY="/etc/kernel/certs/linux/signing_key.x509" | |||
SIGNING_SCRIPT_DIR="/usr/src/linux" | |||
SIGNING_SCRIPT="./scripts/sign-file" | |||
KERNEL_VERSION="6.1.4_p1-debian-sources" | |||
KERNEL_MODULES=( | |||
"/lib/modules/${KERNEL_VERSION}/misc/vboxdrv.ko" | |||
"/lib/modules/${KERNEL_VERSION}/misc/vboxnetadp.ko" | |||
"/lib/modules/${KERNEL_VERSION}/misc/vboxnetflt.ko" | |||
"/lib64/modules/${KERNEL_VERSION}/misc/vboxdrv.ko" | |||
"/lib64/modules/${KERNEL_VERSION}/misc/vboxnetadp.ko" | |||
"/lib64/modules/${KERNEL_VERSION}/misc/vboxnetflt.ko" | |||
"/lib/modules/${KERNEL_VERSION}/extra/v4l2loopback.ko" | |||
) | |||
for mod in "${KERNEL_MODULES[@]}"; do | |||
echo "signing tainted kernel module $mod" | |||
( | |||
cd $SIGNING_SCRIPT_DIR | |||
$SIGNING_SCRIPT $SIGNING_HASH_ALGO $SIGNING_PRIVATE_KEY $SIGNING_PUBLIC_KEY $mod | |||
) | |||
done | |||
}} | |||
Adjust the values of these Bash variables for your locally configured Funtoo system: '''SIGNING_HASH_ALGO, KERNEL_VERSION, KERNEL_MODULES''' | |||
==== Module Verification ==== | |||
This is an experimental but well tested script to verify the signatures of all signed kernel modules are correct. | |||
It verifies the signature of each kernel module to ensure it matching the configured kernel signing components | |||
{{file|name=verify_signed_modules.sh|lang=Shell|desc=Kernel module signature verification script|body= | |||
#!/bin/bash | |||
# Colors | |||
RED=$'\033[31;01m' | |||
GREEN=$'\033[32;01m' | |||
OFF=$'\033[0m' | |||
SIGNING_HASH_ALGO="sha512" | |||
SIGNING_SIGNER="Funtoo Secure Boot" | |||
KERNEL_VERSION="6.1.4_p1-debian-sources" | |||
MODULE_LIB_DIR="/lib/modules/${KERNEL_VERSION}/" | |||
MODULE_LIB64_DIR="/lib64/modules/${KERNEL_VERSION}/" | |||
for dir in $MODULE_LIB_DIR $MODULE_LIB64_DIR; do | |||
for mod in $(find $dir -name *.ko | xargs); do | |||
if (modinfo $mod | egrep "${SIGNING_SIGNER}|${SIGNING_HASH_ALGO}" &> /dev/null); then | |||
echo "${GREEN}PASS${OFF}: kernel module $mod signed. signer:$SIGNING_SIGNER sig_hashalgo:$SIGNING_HASH_ALGO" | |||
else | |||
echo "${RED}FAIL${OFF}: kernel module $mod is NOT properly signed" | |||
fi | |||
done | |||
done | |||
}} | |||
Adjust the values of these Bash variables for your locally configured Funtoo system: '''SIGNING_HASH_ALGO, SIGNING_SIGNER, KERNEL_VERSION''' | |||
To filter successfully signed kernel modules out and only so failed signatures execute the above script like so locally on your Funtoo system: | |||
{{console|body= | |||
###i## ./verify_signed_modules.sh | grep -v PASS | |||
}} | }} | ||
Revision as of 07:41, January 8, 2023
Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel will be fixed. This allows the system to be "hardened", not using the unsigned kernel, or kernel modules to be loaded with a wrong key, to be loaded. Malicious kernel modules are a common system for rootkits to enter a Linux system.
When the Linux kernel is building with module signature verification support enabled, then you can use your own keys. We recommend the debian-sources kernel, just enabling the useflag "sign-modules".
root # echo "sys-kernel/debian-sources sign-modules" >> /etc/portage/package.use root # mkdir -p /etc/kernel/certs/linux
We will manually generate the private/public key files using the x509.genkey key generation configuration file and the openssl command. Here is an example to generate the public/private key files:
root # openssl req -new -nodes -sha256 -x509 -newkey rsa:2048 -days 36500 -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3 -subj '/CN=Funtoo Secure Boot/' -out /etc/kernel/certs/linux/signing_key.cert -keyout /etc/kernel/certs/linux/signing_key.asc root # cat /etc/kernel/certs/linux/signing_key.asc /etc/kernel/certs/linux/signing_key.cert > /etc/kernel/certs/linux/signing_key.pem root # openssl x509 -outform der -in /etc/kernel/certs/linux/signing_key.pem -out /etc/kernel/certs/linux/signing_key.x509
Create DER file to sign grub and SHIM (secure boot):
root # openssl x509 -in /etc/kernel/certs/linux/signing_key.cert -outform der -out /etc/kernel/certs/linux/signing_key.der
Fix permissions:
root # chmod -R 644 /etc/kernel/certs/linux/signing_key.pem
Now, build debian-sources with your own keys:
root # emerge sys-kernel/debian-sources
Manually signing modules
If you ever need to manually sign a kernel module, you can use the scripts/sign-file script available in the Linux kernel source tree. It requires four arguments:
- The hash algorithm to use, such as sha512.
- The private key location.
- The certificate (which includes the public key) location.
- The kernel module to sign.
root # /usr/src/linux/scripts/sign-file sha512 /etc/kernel/certs/linux/signing_key.pem /etc/kernel/certs/linux/signing_key.x509 ${MODULE_KO}
Advanced Module Signing and Verification Scripts
Only run these scripts once booted into a debian-sources kernel that has already been compiled with the sign-modules USE flag
Module Signing
Here is an experimental but well tested script to use to locally automate the signing of kernel modules with your kernel module certificate a key:
sign_out_of_tree_modules.sh (Shell source code) - Kernel module signing script#!/bin/bash
SIGNING_HASH_ALGO="sha512"
SIGNING_PRIVATE_KEY="/etc/kernel/certs/linux/signing_key.pem"
SIGNING_PUBLIC_KEY="/etc/kernel/certs/linux/signing_key.x509"
SIGNING_SCRIPT_DIR="/usr/src/linux"
SIGNING_SCRIPT="./scripts/sign-file"
KERNEL_VERSION="6.1.4_p1-debian-sources"
KERNEL_MODULES=(
"/lib/modules/${KERNEL_VERSION}/misc/vboxdrv.ko"
"/lib/modules/${KERNEL_VERSION}/misc/vboxnetadp.ko"
"/lib/modules/${KERNEL_VERSION}/misc/vboxnetflt.ko"
"/lib64/modules/${KERNEL_VERSION}/misc/vboxdrv.ko"
"/lib64/modules/${KERNEL_VERSION}/misc/vboxnetadp.ko"
"/lib64/modules/${KERNEL_VERSION}/misc/vboxnetflt.ko"
"/lib/modules/${KERNEL_VERSION}/extra/v4l2loopback.ko"
)
for mod in "${KERNEL_MODULES[@]}"; do
echo "signing tainted kernel module $mod"
(
cd $SIGNING_SCRIPT_DIR
$SIGNING_SCRIPT $SIGNING_HASH_ALGO $SIGNING_PRIVATE_KEY $SIGNING_PUBLIC_KEY $mod
)
done
Adjust the values of these Bash variables for your locally configured Funtoo system: SIGNING_HASH_ALGO, KERNEL_VERSION, KERNEL_MODULES
Module Verification
This is an experimental but well tested script to verify the signatures of all signed kernel modules are correct.
It verifies the signature of each kernel module to ensure it matching the configured kernel signing components
verify_signed_modules.sh (Shell source code) - Kernel module signature verification script#!/bin/bash
# Colors
RED=$'\033[31;01m'
GREEN=$'\033[32;01m'
OFF=$'\033[0m'
SIGNING_HASH_ALGO="sha512"
SIGNING_SIGNER="Funtoo Secure Boot"
KERNEL_VERSION="6.1.4_p1-debian-sources"
MODULE_LIB_DIR="/lib/modules/${KERNEL_VERSION}/"
MODULE_LIB64_DIR="/lib64/modules/${KERNEL_VERSION}/"
for dir in $MODULE_LIB_DIR $MODULE_LIB64_DIR; do
for mod in $(find $dir -name *.ko
Adjust the values of these Bash variables for your locally configured Funtoo system: SIGNING_HASH_ALGO, SIGNING_SIGNER, KERNEL_VERSION
To filter successfully signed kernel modules out and only so failed signatures execute the above script like so locally on your Funtoo system:
root # ./verify_signed_modules.sh
Non-valid signatures and unsigned modules
If module.sig_enforce is disabled (default) it will also load modules that are unsigned.
If module.sig_enforce=1 is enabled is supplied on the kernel command line, the kernel will only load validly signed modules for which it has a public key. Otherwise, it will also load modules that are unsigned. Any module for which the kernel has a key, but which proves to have a signature mismatch will not be permitted to load. Any module that has an unparseable signature will be rejected. When you have confirmed that the modules are being signed and that the kernel works as it should, you can enable the following kernel parameter on your /etc/boot.conf to require that the kernel only permits verified modules to be loaded:
You need sign all modules into initramfs first:
root # mkdir /tmp/initram ; cd /tmp/initram root # cp /boot/initramfs-debian-sources-x86_64-6.1.4_p1 . root # cat initramfs-debian-sources-x86_64-6.1.4_p1 | xz -d | cpio -id root # find /tmp/initram/lib/modules/ -name "*ko" -exec /usr/src/linux/scripts/sign-file sha256 /etc/kernel/certs/linux/signing_key.pem /etc/kernel/certs/linux/signing_key.x509 '{}' \; root # mv /boot/initramfs-debian-sources-x86_64-6.1.4_p1 /boot/initramfs-debian-sources-x86_64-6.1.4_p1.old root # find . | cpio -H newc -o | xz --check=crc32 --x86 --lzma2 >/boot/initramfs-debian-sources-x86_64-6.1.4_p1
Include this parameter on your kernel line into /etc/boot.conf:
module.sig_enforce=1
Example /etc/boot.conf enabling kernel module signature verification:
/etc/boot.conf - module.sig_enforce boot.conf"Funtoo Linux genkernel signing enforced" {
kernel kernel[-v]
initrd initramfs[-v]
params += real_root=auto rootfstype=auto module.sig_enforce=1
}
Update configuration file that GRUB will use for booting:
root # ego boot update
ready to shim
Now that our system has a signed kernel and modules, we can load them up for secure boot using the fedora shim.