1 |
> <SwifT> next on the agenda is to check the kernel module signature based protection |
2 |
> <SwifT> which, when I get a 3.10.x kernel to boot, should be fairly easy to document |
3 |
|
4 |
It works - I have enabled module signing in Liberté Linux (with custom |
5 |
certificates), and tested that modified modules are indeed rejected. |
6 |
Note that kernel's makefiles are still inconsistent wrt. module |
7 |
signing: you can use MODSECKEY / MODPUBKEY to sign modules with |
8 |
non-throwaway certs during "make modules_install", but these variables |
9 |
will be ignored when actually bundling certs into the kernel [1]. |
10 |
|
11 |
To use non-trivial custom certificates with pre-3.10 kernels, you |
12 |
would need to backport the patch in [2]. |
13 |
|
14 |
Non-kernel modules need to be signed manually (see bug #447352), e.g.: |
15 |
|
16 |
find ${mainmod} -mindepth 2 ! -path "${mainmod}/kernel/*" -type f |
17 |
-name '*.ko' | \ |
18 |
while read mod; do |
19 |
if [ -z "`modinfo -F sig_key ${mod}`" ]; then |
20 |
${kernsrc}/scripts/sign-file ${sighash} ${sb_kmod}.key |
21 |
${sb_kmod}.der "${mod}" |
22 |
fi |
23 |
done |
24 |
|
25 |
[1] https://bugs.gentoo.org/show_bug.cgi?id=447352#c9 |
26 |
[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04b00bdb41d0fd8d9cf3b146e334369cc2b0acdc |
27 |
|
28 |
-- |
29 |
Maxim Kammerer |
30 |
Liberté Linux: http://dee.su/liberte |