View previous topic :: View next topic |
Author |
Message |
its_randomness n00b
Joined: 06 Dec 2023 Posts: 11
|
Posted: Sat Dec 16, 2023 7:43 am Post subject: missing kernel signatures |
|
|
I have just enabled module signing with the following kernel .config options:
Code: |
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_SHA384 is not set
# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha256"
CONFIG_MODULE_SIG_KEY="/path/to/pem/containing/both/x509/and/private/key"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
# CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
|
Everything builds without errors it seems, and the certs/signing_key.x509 contains the certificate from the CONFIG_MODULE_SIG_KEY file.
The output from modules_install shows a SIGN for every INSTALL command.
When booting the kernel and running modprobe on a module it doesn't seem signed.
Code: |
# modinfo ext4
filename: /lib/modules/6.6.5-gentoo-desktop-nomultilib/kernel/fs/ext4/ext4.ko
softdep: pre: crc32c
license: GPL
description: Fourth Extended Filesystem
author: Remy Card, Stephen Tweedie, Andrew Morton, Andreas Dilger, Theodore Ts'o and others
alias: fs-ext4
alias: ext3
alias: fs-ext3
srcversion: CF37BB128CF4C2238A1C5A6
depends: jbd2,mbcache,crc16
retpoline: Y
intree: Y
name: ext4
vermagic: 6.6.5-gentoo-desktop-nomultilib SMP preempt mod_unload modversions
sig_id: PKCS#7
signer:
sig_key:
sig_hashalgo: unknown
signature:
|
The hexdump from the ext4.ko file seems to have a signature:
Code: |
hexdump -C /lib/modules/6.6.5-gentoo-desktop-nomultilib/kernel/fs/ext4/ext4.ko | tail
....
011a97e0 24 b7 f3 01 70 d9 88 2d 24 60 a1 a4 d7 d2 a3 f0 |$...p..-$`......|
011a97f0 03 99 0c 78 54 4c 57 19 59 c0 67 f4 7e 50 aa 68 |...xTLW.Y.g.~P.h|
011a9800 14 23 8d 15 7c 2c ae 9a 2b 50 e3 c4 d6 41 82 fb |.#..|,..+P...A..|
011a9810 18 81 22 72 f8 44 92 90 8b 64 3d e5 cc fa ab 0c |.."r.D...d=.....|
011a9820 4b b6 16 57 c0 aa 96 34 34 8d 21 4e 45 42 dd 53 |K..W...44.!NEB.S|
011a9830 57 14 04 21 2c a6 91 22 83 f8 22 12 4b 41 e8 94 |W..!,.."..".KA..|
011a9840 c7 dd b2 1c e3 c4 32 00 00 02 00 00 00 00 00 00 |......2.........|
011a9850 00 02 37 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 |..7~Module signa|
011a9860 74 75 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |ture appended~.|
011a986f
|
Have any of you experienced this? |
|
Back to top |
|
|
Ionen Developer
Joined: 06 Dec 2018 Posts: 2720
|
Posted: Sat Dec 16, 2023 10:29 am Post subject: |
|
|
Enable USE=pkcs7 on sys-apps/kmod, modinfo is not able to read the (new kind of) signatures without that. |
|
Back to top |
|
|
its_randomness n00b
Joined: 06 Dec 2023 Posts: 11
|
Posted: Sat Dec 16, 2023 11:22 am Post subject: |
|
|
Ionen wrote: | Enable USE=pkcs7 on sys-apps/kmod, modinfo is not able to read the (new kind of) signatures without that. |
Thanks man. That did the trick |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|