Note
The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Coffnix:Script to sign kernel modules
Jump to navigation
Jump to search
Since the Linux kernel version 3.7.x, support for the signed kernel modules has been useful. When enabled, the Linux kernel kernel will be fixed. This allows the system to be "hardened", not using the unsigned kernel, or kernel modules to be loaded with a wrong key, to be loaded. Malicious kernel modules are a common system for rootkits to enter a Linux system.
If you want to sign an embedded module in the kernel:
--- Enable loadable module support
[*] Module signature verification
[*] Require modules to be validly signed
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
Manually sign modules, for example virtualbox modules ( (app-emulation/virtualbox-modules):
for i in $(find /lib/modules/$(uname -r) -iname "*vbox*.ko"); do
perl /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/signing_key.priv /usr/src/linux/signing_key.x509 $i
done
If you use kernel 4.3.3 or higher:
MODULES_DIR="/lib/modules/"
for i in $(find ${MODULES_DIR} -maxdepth 1 -type d|grep -vw "${MODULES_DIR}"|sed s,'/lib/modules/',,g);do
KERNEL_DIR="/usr/src/linux-${i}"
echo -e "Assinando módulo para kernel ${i}..."
for z in $(find /lib/modules/${i} -type f -iname "*vbox*.ko");do
${KERNEL_DIR}/scripts/sign-file sha512 ${KERNEL_DIR}/certs/signing_key.pem ${KERNEL_DIR}/certs/signing_key.x509 ${z}
done
done
Source:
https://wiki.gentoo.org/wiki/Signed_kernel_module_support