Signed kernel module support——核心簽名機制
Signed kernel module support
From : http://blog.csdn.net/u011923747/article/details/18619545 From Gentoo WikiSince Linux kernel version 3.7 onwards, support has been added for signed kernel modules. When enabled, the linux kernel will only load kernel modules that are digitally signed with the proper key. This allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded. Malicious kernel modules are a common method for loading rootkits on a Linux system.
Enabling module signature verification
Enabling support is a matter of toggling a few settings in the Linux kernel configuration. Unless you want to use your own keypair, this is all that has to be done to enable kernel module support.
Configuring module signature verification
Module signature verification is a kernel feature, so has to be enabled through the Linux kernel configuration. You can find the necessary options under Enable loadable module support
--- Enable loadable module support [*] Module signature verification [*] Require modules to be validly signed [*] Automatically sign all modules Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
The option Module signature verification (CONFIG_MODULE_SIG) enables the module signature verification in the Linux kernel. It supports two approaches on signed module support: a rather permissive one and a strict one. By default, the permissive
approach is used, which means that the Linux kernel module either has to have a valid signature, or no signature. With the strict approach, a valid signature must be present. In the above example, the strict approach is used by selecting
Require modules to be validly signed (CONFIG_MODULE_SIG_FORCE). Another way of enabling this strict approach is to set the kernel boot option
enforcemodulesig=1
.
When building the Linux kernel, the kernel modules will not be signed automatically unless you select Automatically sign all modules (CONFIG_MODULE_SIG_ALL).
Finally, we need to select the hash algorithm to use with the cryptographic signature. In the above example, we use SHA-512.
Building the kernel with proper keys
When the Linux kernel is building with module signature verification support enabled, then you can use your own keys or have the Linux kernel build infrastructure create a set for you. If you want the Linux kernel build infrastructure to create it for you,
just continue as you always do with a make
and make modules_install
. At the end of the build process, you will notice that
signing_key.priv and
signing_key.x509 will be available on the root of the Linux kernel sources.
If we want to use our own keys, you can use openssl
to create a key pair (private key and public key). The following command, taken from
kernel/Makefile, creates such a key pair.
[ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = GenFic CN = Kernel Signing Key emailAddress = [email protected] [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid
user $
openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config
x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.priv
The resulting files need to be stored as signing_key.x509 and signing_key.priv in the root of the Linux kernel source tree.
The public key part will be build inside the Linux kernel. If you configured the kernel to sign modules, this signing will take place during the
make modules_install
part.
Validating module signature support
Reboot with the newly configured kernel. In the output of dmesg
you should be able to confirm that the proper certificate is loaded:
user $
dmesg | grep MODSIGN
[ 2.450021] MODSIGN: Loaded cert 'GenFic: Kernel Signing Key: b923a5f44eae25bbad52c8bf2742e7b7e6fb0c0e'
The kernel modules have the digital signature appended at the end. A simple
hexdump
can confirm if a signature is present or not:
user $
hexdump -C vxlan.ko | tail
00008880 cf 0e e7 cb 10 9e 98 5f 4b 21 d4 03 ba 3d 7e e7 |......._K!...=~.| 00008890 68 db f9 e3 5f 62 3c c7 d6 6c 84 c7 d6 68 c1 73 |h..._b<..l...h.s| 000088a0 3d d7 5a 38 66 99 12 b8 84 c9 84 45 dd 68 6d 17 |=.Z8f......E.hm.| 000088b0 03 24 dc 9c 6f 6d 11 01 e9 74 82 ea b5 5b 46 07 |.$..om...t...[F.| 000088c0 fe dd 66 97 1a 33 58 3d 6e d0 ac 03 08 16 73 06 |..f..3X=n.....s.| 000088d0 9f 90 c4 eb b3 82 1d 9f 48 8c 5b 51 01 06 01 1e |........H.[Q....| 000088e0 14 00 00 00 00 00 02 02 7e 4d 6f 64 75 6c 65 20 |........~Module | 000088f0 73 69 67 6e 61 74 75 72 65 20 61 70 70 65 6e 64 |signature append| 00008900 65 64 7e 0a |ed~.| 00008904
The string ~Module signature appended~
at the end confirms that
a signature is present. Of course, it does not confirm that the signature is valid or not.
To remove the signature, we can use the strip
command:
root #
strip --strip-debug vxlan.ko
root #
hexdump -C vxlan.ko | tail
00097330 6c 5f 67 65 74 5f 73 74 61 74 73 36 34 00 72 63 |l_get_stats64.rc| 00097340 75 5f 62 61 72 72 69 65 72 00 5f 72 61 77 5f 73 |u_barrier._raw_s| 00097350 70 69 6e 5f 75 6e 6c 6f 63 6b 00 72 65 67 69 73 |pin_unlock.regis| 00097360 74 65 72 5f 70 65 72 6e 65 74 5f 64 65 76 69 63 |ter_pernet_devic| 00097370 65 00 6b 6d 61 6c 6c 6f 63 5f 63 61 63 68 65 73 |e.kmalloc_caches| 00097380 00 6e 65 74 64 65 76 5f 69 6e 66 6f 00 6e 65 69 |.netdev_info.nei| 00097390 67 68 5f 6c 6f 6f 6b 75 70 00 72 65 6c 65 61 73 |gh_lookup.releas| 000973a0 65 5f 73 6f 63 6b 00 72 65 67 69 73 74 65 72 5f |e_sock.register_| 000973b0 6e 65 74 64 65 76 69 63 65 00 |netdevice.| 000973ba
If we try to load this module now, we get a failure:
root #
modprobe vxlan
modprobe: ERROR: could not insert 'vxlan': Required key not available
This confirms that modules without a signature are not loaded.
Administering kernel module signatures
Once the kernel boots and we have validated that the signed kernel module support works, it is important to correctly handle the keys themselves.
Protecting the private key
The private key, stored as signing_key.priv, needs to be moved to a secure location (unless you will be creating new keys for new kernels, in which case the file can be removed). Do not keep it at /usr/src/linux on production systems as malware can then easily use this key to sign the malicious kernel modules (such as rootkits) and compromise the system further.
Manually signing modules
If you ever need to manually sign a kernel module, you can use the scripts/sign-file script available in the Linux kernel source tree. It requires four arguments:
- The hash algorithm to use, such as
sha512
- The private key location
- The certificate (which includes the public key) location
- The kernel module to sign
In this case, the key pair does not need to be named signing_file.priv and such, nor do they need to be in the root of the Linux kernel source tree location.
user $
perl /usr/src/linux/scripts/sign-file sha512 /mnt/sdcard/kernel-signkey.priv
/mnt/sdcard/kernel-signkey.x509 vxlan.ko
Distributing the kernel and modules
If we create a kernel package through make tarbz2-pkg
, the modules in it will be signed already so we do not need to manually sign them afterwards. The signing keys themselves are not distributed with it.
More resources
In Booting a self-signed Linux kernel Greg Kroah-Hartman describes how to boot a self-signed Linux kernel from EFI. As having signed kernel module support is only secure if the Linux kernel is trusted, this is an important (and related) feature to work with.
其他參考文章:
相關推薦
Signed kernel module support——核心簽名機制
Signed kernel module support From : http://blog.csdn.net/u011923747/article/details/18619545 From Gentoo Wiki Since Linux kernel
核心簽名機制
Signed kernel module support From Gentoo Wiki Since Linux kernel version 3.7 onwards, support has been added for signed kernel modules. When enabled, th
一週一論文(翻譯 總結)—— [SOSP 18] LITE Kernel RDMA Support for Datacenter Applications : 一個LITE 核心支援的RDMA通訊庫
目錄 Abstract 1. Introduction 2. BACKGROUND AND ISSUES OF RDMA 2.1 Background on RDMA 2.2 RDMA in DataCenter Applications 2.3 Issue 1: Misma
Linux Kernel 3.10核心原始碼分析--塊裝置層request plug/unplug機制
一、基本原理Linux塊裝置層使用了plug/unplug(蓄流/洩流)的機制來提升IO吞吐量。基本原理為:當IO請求提交時,不知直接提交給底層驅動,而是先將其放入一個佇列中(相當於水池),待一定時機或週期後再將該佇列中的請求統一下發。將請求放入佇列的過程即plug(蓄流)
Android簽名機制之---簽名過程具體解釋
先來 文件內容 rfi eating general class stat ket 寫文章 一、前言又是過了好長時間,沒寫文章的雙手都有點難受了。今天是聖誕節,還是得上班。由於前幾天有一個之前的同事,在申請微信SDK的時候,遇到簽名的問題,問了我一下,結果把我難倒了。。我
webpack的Hot Module Replacement運行機制
應該 pack ldb chunk lec ply works span plugins 使用webpack打包,難免會使用Hot Module Replacement功能,該功能能夠實現修改、添加或刪除前端頁面中的模塊代碼,而且是在頁面不刷新的前提下。它究竟是怎麽運作的呢
Android簽名機制---簽名過程
iges 工具 恢復 容易 有一個 需要 還要 兩種 別人 大神文章:http://blog.csdn.net/jiangwei0910410003/article/details/50402000 一、知識點 1、數據摘要(數據指紋)、簽名文件,證書文件 2、jarsig
如何處理VirtualBox啟動錯誤消息:The vboxdrv kernel module is not loaded
either pro without cimage 處理 local current class 解決 我在啟動minikube時,遇到如下錯誤消息: Starting local Kubernetes v1.10.0 cluster... Starting VM...
記錄下Webapi簽名機制
cati baidu mov enum sig fault 有效 web 調用方法 首先,寫這篇文章的原因是因為最近某一個項目中的接口被人為調用了,導致了數據庫數據被串改。雖然是內部人無意點的,但還是引起了我的擔憂,所有整理了下關於Webapi的相關簽名機制。 一、我們
核心簽名
1)對於我們自己寫的驅動程式,dmesg中有類似於: itx3010_J45: module verification failed: signature and/or required key missing - tainting kernel (我們寫的驅動) 是因為3.7以後的核心新增
如何處理VirtualBox啟動錯誤訊息:The vboxdrv kernel module is not loaded
我在啟動minikube時,遇到如下錯誤訊息: Starting local Kubernetes v1.10.0 cluster... Starting VM... E1010 03:27:37.920050 4827 start.go:174] Error starting host: Er
Linux安裝VMware 出現“VMware kernel module updater”報錯的解決辦法
//系統 # cat /etc/redhat-release CentOS release 6.10 (Final) # uname -r 2.6.32-754.3.5.el6.x86_64 //解決方法,安裝核心開發包 # yum -y install kernel-devel
Android簽名機制之---簽名驗證過程詳解
分享一下我老師大神的人工智慧教程!零基礎,通俗易懂!http://blog.csdn.net/jiangjunshow 也歡迎大家轉載本篇文章。分享知識,造福人民,實現我們中華民族偉大復興!  
阿里雲視訊直播API簽名機制原始碼
阿里雲視訊直播API簽名機制原始碼 本文展示:通過程式碼實現下阿里視訊直播簽名處理規則 阿里雲視訊直播簽名機制,官方文件連結:https://help.aliyun.com/document_detail/50286.html?spm=a2c4g.11186623.2.11.2a05365
Linux核心搶佔機制preempt
轉自:原文連結 早期的Linux核心是不可搶佔的。它的排程方法是:一個程序可以通過schedule()函式自願地啟動一次排程。非自願的強制性排程只能發生在 每次從系統呼叫返回的前夕以及每次從中斷或異常處理返回到使用者空間的前夕。但是,如果在系統空間發生中斷或異常是不會引起排程的。這種方式使核心實現
apk簽名機制與SHA1演算法
前幾天又碰到高德地圖申請key的時候,需要一個SHA1值,發現自己對簽名這塊沒有足夠了解,今天就做個總結。 1.SHA1演算法 sha1用於數字簽名,將一段訊息生成一個160位的訊息摘要,我們可以通過訊息摘要來驗證訊息的完整性。 2.apk的簽名機制 將apk解壓,可以看到
Android簽名機制之---簽名過程詳解
一、前言又是過了好長時間,沒寫文章的雙手都有點難受了。今天是聖誕節,還是得上班。因為前幾天有一個之前的同事,在申請微信SDK的時候,遇到簽名的問題,問了我一下,結果把我難倒了。。我說Android中的簽
Andriod Studio 兩種簽名機制V1和V2的區別
Android Studio 2.2以上版本打包apk的時候,我們會發現多了個簽名版本(v1、v2)選擇,如下圖紅色方框所示 問題描述(v1和v2) Android 7.0中引入了APK Signature Scheme v2,v1是jar Signature來
解決——CentOS 7 升級後VMware無法允許,提示“vmware kernel module updater”
【參考文獻】 【問題】 升級系統後(yum update) VMware12打不開,出現了kernel module updater的提示。彈出窗體內容大意是: 找不到機器上已安裝的 Kernel header。 【解決】 1. 執行如下命令,重新建立模組
Linux核心同步機制之completion
#include <linux/module.h> #include <linux/init.h> #include <linux/sched.h> #include <linux/kernel.h> #includ