Linux 模組(ko)簽名
Since Linux kernel version 3.7 onwards, support has been added for signed kernel modules. When enabled, the Linux kernel will only load kernel modules that are digitally signed with the proper key. This allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded. Malicious kernel modules are a common method for loading rootkits on a Linux system.
Enabling module signature verification
Enabling support is a matter of toggling a few settings in the Linux kernel configuration. Unless you want to use your own keypair, this is all that has to be done to enable kernel module support.
Configuring module signature verification
Module signature verification is a kernel feature, so has to be enabled through the Linux kernel configuration. You can find the necessary options under Enable loadable module support
--- Enable loadable module support [*] Module signature verification [*] Require modules to be validly signed [*] Automatically sign all modules Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
The option Module signature verification (CONFIG_MODULE_SIG) enables the module signature verification in the Linux kernel. It supports two approaches on signed module support: a rather permissive one and a strict one. By default, the permissive approach is used, which means that the Linux kernel module either has to have a valid signature, or no signature. With the strict approach, a valid signature must be present. In the above example, the strict approach is used by selecting Require modules to be validly signed (CONFIG_MODULE_SIG_FORCE). Another way of enabling this strict approach is to set the kernel boot option enforcemodulesig=1.
When building the Linux kernel, the kernel modules will not be signed automatically unless you select Automatically sign all modules(CONFIG_MODULE_SIG_ALL).
Finally, we need to select the hash algorithm to use with the cryptographic signature. In the above example, we use SHA-512.
Building the kernel with proper keys
When the Linux kernel is building with module signature verification support enabled, then you can use your own keys or have the Linux kernel build infrastructure create a set for you. If you want the Linux kernel build infrastructure to create it for you, just continue as you always do with a make and make modules_install. At the end of the build process, you will notice that signing_key.priv and signing_key.x509 will be available on the root of the Linux kernel sources.
If we want to use our own keys, you can use openssl to create a key pair (private key and public key). The following command, taken from kernel/Makefile, creates such a key pair.
Filex509.genkeyKey generation configuration file[ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = GenFic CN = Kernel Signing Key emailAddress = [email protected] [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyiduser $ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.priv
The resulting files need to be stored as signing_key.x509 and signing_key.priv in the root of the Linux kernel source tree.
The public key part will be build inside the Linux kernel. If you configured the kernel to sign modules, this signing will take place during the make modules_install part.
Validating module signature support
Reboot with the newly configured kernel. In the output of dmesg you should be able to confirm that the proper certificate is loaded:
user $ dmesg | grep MODSIGN[ 2.450021] MODSIGN: Loaded cert 'GenFic: Kernel Signing Key: b923a5f44eae25bbad52c8bf2742e7b7e6fb0c0e'
The kernel modules have the digital signature appended at the end. A simple hexdump can confirm if a signature is present or not:
user $ hexdump -C vxlan.ko | tail00008880 cf 0e e7 cb 10 9e 98 5f 4b 21 d4 03 ba 3d 7e e7 |......._K!...=~.| 00008890 68 db f9 e3 5f 62 3c c7 d6 6c 84 c7 d6 68 c1 73 |h..._b<..l...h.s| 000088a0 3d d7 5a 38 66 99 12 b8 84 c9 84 45 dd 68 6d 17 |=.Z8f......E.hm.| 000088b0 03 24 dc 9c 6f 6d 11 01 e9 74 82 ea b5 5b 46 07 |.$..om...t...[F.| 000088c0 fe dd 66 97 1a 33 58 3d 6e d0 ac 03 08 16 73 06 |..f..3X=n.....s.| 000088d0 9f 90 c4 eb b3 82 1d 9f 48 8c 5b 51 01 06 01 1e |........H.[Q....| 000088e0 14 00 00 00 00 00 02 02 7e 4d 6f 64 75 6c 65 20 |........~Module | 000088f0 73 69 67 6e 61 74 75 72 65 20 61 70 70 65 6e 64 |signature append| 00008900 65 64 7e 0a |ed~.| 00008904
The string ~Module signature appended~ at the end confirms that a signature is present. Of course, it does not confirm that the signature is valid or not.
To remove the signature, we can use the strip command:
root # strip --strip-debug vxlan.koroot # hexdump -C vxlan.ko | tail
00097330 6c 5f 67 65 74 5f 73 74 61 74 73 36 34 00 72 63 |l_get_stats64.rc| 00097340 75 5f 62 61 72 72 69 65 72 00 5f 72 61 77 5f 73 |u_barrier._raw_s| 00097350 70 69 6e 5f 75 6e 6c 6f 63 6b 00 72 65 67 69 73 |pin_unlock.regis| 00097360 74 65 72 5f 70 65 72 6e 65 74 5f 64 65 76 69 63 |ter_pernet_devic| 00097370 65 00 6b 6d 61 6c 6c 6f 63 5f 63 61 63 68 65 73 |e.kmalloc_caches| 00097380 00 6e 65 74 64 65 76 5f 69 6e 66 6f 00 6e 65 69 |.netdev_info.nei| 00097390 67 68 5f 6c 6f 6f 6b 75 70 00 72 65 6c 65 61 73 |gh_lookup.releas| 000973a0 65 5f 73 6f 63 6b 00 72 65 67 69 73 74 65 72 5f |e_sock.register_| 000973b0 6e 65 74 64 65 76 69 63 65 00 |netdevice.| 000973ba
If we try to load this module now, we get a failure:
root # modprobe vxlanmodprobe: ERROR: could not insert 'vxlan': Required key not available
This confirms that modules without a signature are not loaded.
Administering kernel module signatures
Once the kernel boots and we have validated that the signed kernel module support works, it is important to correctly handle the keys themselves.
Protecting the private key
The private key, stored as signing_key.priv, needs to be moved to a secure location (unless you will be creating new keys for new kernels, in which case the file can be removed). Do not keep it at /usr/src/linux on production systems as malware can then easily use this key to sign the malicious kernel modules (such as rootkits) and compromise the system further.
Manually signing modules
If you ever need to manually sign a kernel module, you can use the scripts/sign-file script available in the Linux kernel source tree. It requires four arguments:
- The hash algorithm to use, such as sha512
- The private key location
- The certificate (which includes the public key) location
- The kernel module to sign
In this case, the key pair does not need to be named signing_file.priv and such, nor do they need to be in the root of the Linux kernel source tree location.
user $ perl /usr/src/linux/scripts/sign-file sha512 /mnt/sdcard/kernel-signkey.priv /mnt/sdcard/kernel-signkey.x509 vxlan.koDistributing the kernel and modules
If we create a kernel package through make tarbz2-pkg, the modules in it will be signed already so we do not need to manually sign them afterwards. The signing keys themselves are not distributed with it.
More resources
In Booting a self-signed Linux kernel Greg Kroah-Hartman describes how to boot a self-signed Linux kernel from EFI. As having signed kernel module support is only secure if the Linux kernel is trusted, this is an important (and related) feature to work with.
一個關閉簽名的案例:
轉自http://blog.chinaunix.net/uid-27717694-id-3999307.html
相關推薦
Linux 模組(ko)簽名
Since Linux kernel version 3.7 onwards, support has been added for signed kernel modules. When enabled, the Linux kernel will only load kernel modules th
Linux 自動載入驅動模組(.ko檔案)
以wctdmxxp.ko為例 wctdmxxp.ko需要依賴dahdi_voicebus.ko 一、手動載入: insmod dahdi_voicebus.ko insmod wctdmxxp.ko 二、自動載入 1、把wctdmxxp.ko和dahdi_voicebu
Linux可載入核心模組(LKM)(轉載)
轉載: 漏天劍 Linux可載入核心模組(LKM) Linux可載入核心模組完全版 --黑客、病毒程式編寫者和系統管理員的概念性指南 作者:pragmatic/THC 版本:1.0 釋出時間:03/1999/ 譯者:[email protected] I.基
Linux可載入核心模組(LKM)
轉載自http://blog.csdn.net/zhaqiwen/article/details/8288472 I.基礎知識 1.什麼是LKM 2.什麼是系統呼叫 3.什麼是核心符號表 4.如何進行核心與使用者空間記憶體資料的交換 5.使用使用者空間的
linux 筆記(3)sudo
style roo 執行 詳細 現在 tail 筆記 內容 如果 剛安裝Ubuntu,出現在終端的首行: To run a command as administrator (user "root"), use "sudo <command>". See “m
Linux基礎(一)
顯示文件 單用戶 重要 命令 普通 art 免費使用 出現 文件夾 一、了解Unix和Linux 1.Unix和Linux的起源 出現分時操作系統的概念後,貝爾實驗室和通用電氣在CTTS成功研制後決定開發能夠同時支持上百終端的MULTICS,但是失敗了。後來一位參加過M
linux基礎(2)
是把 uid bash chm 備註 font 註意 nbsp gshadow Linux基礎題 作業一:1) 新建用戶natasha,uid為1000,gid為555,備註信息為“master”useradd natashagroupmod -g 555 nata
Linux基礎(四)
har jid work 區號 linu watch worker eof -1 一、系統監控 1.用top命令實時監測CPU、內存、硬盤狀態 效果類似Windows的任務管理器,默認每5秒刷新一下屏幕上的顯示結果。 [[email protected]/*
linux基礎(4)
adding out drop 數據 關系 共享內存 文件的 top命令 動態 一 系統監控 1. 系統監視和進程控制工具—top和free1) 掌握top命令的功能:top命令是Linux下常用的性能分析工具,能夠實時顯示系統中各個進程的資源占用狀況,類似於Window
9、Linux基礎(五)
查看 reload print install 1-1 str -s firewalld samb 一 Samba服務 1 準備環境 =====>part1: iptables -F #systemctl disable firewalld #開機默認關閉 #s
Python學習day9--linux基礎(六)
sdn zip install bsp docs sbin service dev 網卡 今天我們來看一下Samba服務和nginx服務。 Samba服務 1.samba的功能 samba是一個網絡服務器,用於Linux和Windows之間共享文件。 2.samba服
每天一個linux命令(16):tail命令
nvi 系統 strong 維基百科 ron .com linux tro 聯系 版權聲明更新:2017-05-20博主:LuckyAlan聯系:[email protected]/* */聲明:吃水不忘挖井人,轉載請註明出處! 1 文章介紹 本文介紹了Linu
每天一個linux命令(11):cat命令
部分 ron linu mv命令 平臺 linux下 一個 介紹 inux 版權聲明更新:2017-05-15博主:LuckyAlan聯系:[email protected]/* */聲明:吃水不忘挖井人,轉載請註明出處! 1 文章介紹 本文介紹了Linux下面
每天一個linux命令(9):cp命令
系統 lin 維基 介紹 參考 vip 聲明 com 開發平臺 版權聲明更新:2017-05-13博主:LuckyAlan聯系:[email protected]/* */聲明:吃水不忘挖井人,轉載請註明出處! 1 文章介紹 本文介紹了Linux下面的cp命令。
Linux入門(三)
ls cat hwclock cd date echo Linux常用命令: Linux文件系統: 1.文件名名稱嚴格區分大小寫 2.文件可以使用除/意外的任意字符;不建議使用特殊字符 3.文件名長度不能超過255個字符 4. 以. 開頭的文件為隱藏文件 工作目錄:workin
Linux入門(二)
man linux終端 linux發行版本 linux文件系統初步 google高級用法 Linux常用的基礎命令1.發行版本2.CISC、RISC3.編譯和反編譯(GPL、LGPL、BSD)4.程序包管理5.文件系統初步終端設備虛擬終端圖形終端串行終端偽終端Linux的哲學思想6.開源協
Linux學習(1)
linux開始學習Linux了,希望能學有所成————測試中本文出自 “Linux學習” 博客,請務必保留此出處http://mmchy.blog.51cto.com/13044974/1941714Linux學習(1)
Linux入門(四)
fhs man bash特性 文件管理 目錄管理 目錄:一、根文件系統層級標準FHS 二、bash的基礎特性(一) 1.命令歷史 2.命令行補全 3.路徑補全 4.命令行展開 5.命令執行的狀態結果 6.引用 7.快捷鍵 三、目錄管理
【Linux】好玩的Linux命令(二)
unknown nds end shell腳本 其他 你是 結構 lan isp 關於Linux talk:http://man.linuxde.net/talk 下面文章轉自:http://www.oschina.net/translate/11-lesser-know
Linux筆記(十三) - 系統管理
系統版本 服務管理 結束程序 名稱 kconfig 才會 設置 小寫 linu (1)進程管理1.判斷服務器健康狀態2.查看進程a.查看系統中所有進程:ps 例:ps aux(使用BSD操作系統命令格式) a 顯示所有前臺進程 x 顯示所有後臺進程