| 1 |
> <SwifT> next on the agenda is to check the kernel module signature based protection |
| 2 |
> <SwifT> which, when I get a 3.10.x kernel to boot, should be fairly easy to document |
| 3 |
|
| 4 |
It works - I have enabled module signing in Liberté Linux (with custom |
| 5 |
certificates), and tested that modified modules are indeed rejected. |
| 6 |
Note that kernel's makefiles are still inconsistent wrt. module |
| 7 |
signing: you can use MODSECKEY / MODPUBKEY to sign modules with |
| 8 |
non-throwaway certs during "make modules_install", but these variables |
| 9 |
will be ignored when actually bundling certs into the kernel [1]. |
| 10 |
|
| 11 |
To use non-trivial custom certificates with pre-3.10 kernels, you |
| 12 |
would need to backport the patch in [2]. |
| 13 |
|
| 14 |
Non-kernel modules need to be signed manually (see bug #447352), e.g.: |
| 15 |
|
| 16 |
find ${mainmod} -mindepth 2 ! -path "${mainmod}/kernel/*" -type f |
| 17 |
-name '*.ko' | \ |
| 18 |
while read mod; do |
| 19 |
if [ -z "`modinfo -F sig_key ${mod}`" ]; then |
| 20 |
${kernsrc}/scripts/sign-file ${sighash} ${sb_kmod}.key |
| 21 |
${sb_kmod}.der "${mod}" |
| 22 |
fi |
| 23 |
done |
| 24 |
|
| 25 |
[1] https://bugs.gentoo.org/show_bug.cgi?id=447352#c9 |
| 26 |
[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04b00bdb41d0fd8d9cf3b146e334369cc2b0acdc |
| 27 |
|
| 28 |
-- |
| 29 |
Maxim Kammerer |
| 30 |
Liberté Linux: http://dee.su/liberte |
Archives