1 |
On Wednesday, 11 April 2018 21:39:30 BST Ben Mezger wrote: |
2 |
> Greetings, |
3 |
> |
4 |
> I have enabled module signature verification on my kernel, and it does |
5 |
> seem to be enabled upon boot: |
6 |
> |
7 |
> $ dmesg | grep -i 'x.*509' |
8 |
> [ 1.259988] Asymmetric key parser 'x509' registered |
9 |
> [ 1.811026] Loading compiled-in X.509 certificates |
10 |
> [ 1.813833] Loaded X.509 cert 'Build time autogenerated kernel key: |
11 |
> 77e716fc52a6293567d953cd24a5977e55b41a5e' |
12 |
> |
13 |
> and doing a cat /proc/keys seems to show the key enabled: |
14 |
> |
15 |
> $ cat /proc/keys |
16 |
> ... |
17 |
> 37c67374 I------ 1 perm 1f030000 0 0 asymmetri Build time |
18 |
> autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e: |
19 |
> X509.rsa 55b41a5e [] |
20 |
> ... |
21 |
> |
22 |
> However, if I do a modinfo to see the key on a module, it seems empty: |
23 |
> |
24 |
> $modinfo ntfs |
25 |
> filename: /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko |
26 |
> license: GPL |
27 |
> version: 2.1.32 |
28 |
> description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton |
29 |
> Altaparmakov and Tuxera Inc. |
30 |
> author: Anton Altaparmakov <anton@××××××.com> |
31 |
> alias: fs-ntfs |
32 |
> srcversion: 0D7ACE93F603E9350827FB8 |
33 |
> depends: |
34 |
> intree: Y |
35 |
> vermagic: 4.9.76-gentoo-r1 SMP mod_unload |
36 |
> signat: PKCS#7 |
37 |
> signer: |
38 |
> sig_key: |
39 |
> sig_hashalgo: md4 |
40 |
|
41 |
I am getting a similar output with later source kernel than yours: |
42 |
|
43 |
# modinfo ntfs |
44 |
filename: /lib/modules/4.15.17-gentoo/kernel/fs/ntfs/ntfs.ko.gz |
45 |
license: GPL |
46 |
version: 2.1.32 |
47 |
description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton |
48 |
Altaparmakov and Tuxera Inc. |
49 |
author: Anton Altaparmakov <anton@××××××.com> |
50 |
alias: fs-ntfs |
51 |
srcversion: B6DF5EBF4EF8B063988F5CB |
52 |
depends: |
53 |
retpoline: Y |
54 |
intree: Y |
55 |
name: ntfs |
56 |
vermagic: 4.15.17-gentoo SMP preempt mod_unload |
57 |
signat: PKCS#7 |
58 |
signer: |
59 |
sig_key: |
60 |
sig_hashalgo: md4 |
61 |
|
62 |
Which I find quite confusing. Not only the keys are not shown, but the |
63 |
sig_hashalgo is md4 (cracked since 1995) instead of the SHA512 I had specified |
64 |
in my kernel .config. |
65 |
|
66 |
|
67 |
> And hex dump does show me the digital signature appended at the end: |
68 |
> |
69 |
> $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail |
70 |
> 0004e8c0 e3 dd 54 9d 5e f1 1a 12 56 47 4e 54 91 b9 fa ce |
71 |
> |..T.^...VGNT....| 0004e8d0 e6 01 db 37 eb 83 f3 77 10 f0 b5 f8 11 fd 4e |
72 |
> 86 |...7...w......N.| 0004e8e0 6c 81 8a 61 c2 15 6d 5a 35 93 8b 33 c0 32 |
73 |
> 2f e4 |l..a..mZ5..3.2/.| 0004e8f0 8c 15 71 de c8 c5 39 58 cc e8 65 e1 be |
74 |
> 36 e6 02 |..q...9X..e..6..| 0004e900 b0 75 b5 a2 73 d8 4d 22 e7 2f 53 1f |
75 |
> 42 fb ee 58 |.u..s.M"./S.B..X| 0004e910 f2 65 44 13 26 30 7b 31 1c 58 12 |
76 |
> 5a f2 5d b1 45 |.eD.&0{1.X.Z.].E| 0004e920 3a f0 a5 79 74 f4 00 00 02 00 |
77 |
> 00 00 00 00 00 00 |:..yt...........| 0004e930 02 9e 7e 4d 6f 64 75 6c 65 |
78 |
> 20 73 69 67 6e 61 74 |..~Module signat| 0004e940 75 72 65 20 61 70 70 65 |
79 |
> 6e 64 65 64 7e 0a |ure appended~.| 0004e94e |
80 |
> |
81 |
> My question is: why doesn't modinfo show me the key fingerprint? |
82 |
|
83 |
I don't know the answer, but would be interested to find out. I have only |
84 |
used kernel autogenerated keys to do this, so I can't attest if the result is |
85 |
the same when creating own keys manually. |
86 |
|
87 |
-- |
88 |
Regards, |
89 |
Mick |