View previous topic :: View next topic |
Author |
Message |
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3628
|
Posted: Mon Jan 08, 2024 6:17 pm Post subject: kernel-6.7.0: New SHA3 module encryption option. [solved] |
|
|
External modules have been signed here with; Code: | scripts/sign-file sha"$SHA_SIZ" certs/signing_key.pem certs/signing_key.x509 | where $SHA_SIZ may vary among 256,384 & 512.
binary scripts/sign-file has little help support as: Code: | amd64 /usr/src/linux-6.7.0-gentoo/scripts # ./sign-file
Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>] | not enough for me to understand what should be the keyword for the new type of parameter.
Any idea how to figure this out?
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here.
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Last edited by CaptainBlood on Tue Jan 09, 2024 1:54 am; edited 1 time in total |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3628
|
Posted: Tue Jan 09, 2024 1:53 am Post subject: |
|
|
Code: | scripts/sign-file sha3_"$SHA_SIZ" certs/signing_key.pem certs/signing_key.x509 <full-path-to-module.ko> | did the trick.
Plz note signing should be first to any compression.
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here.
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
NathanZachary Moderator
Joined: 30 Jan 2007 Posts: 2605
|
Posted: Wed Feb 21, 2024 5:56 am Post subject: |
|
|
Pardon the ancillary question, but what was your process for having the scripts/sign-file utility available? I don't have that in =sys-kernel/gentoo-sources-6.7.4.
Thank you for your time. _________________ “Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
Back to top |
|
|
NathanZachary Moderator
Joined: 30 Jan 2007 Posts: 2605
|
Posted: Wed Feb 21, 2024 6:07 am Post subject: |
|
|
Hmmmm, looking further into the problem, it might be that I don't have 'CONFIG_MODULE_SIG' set. I wonder if that option toggles the availability of the 'sign-file' script? I would imagine that enabling this option by itself (without 'CONFIG_SECURITY_LOCKDOWN_LSM') would still allow for unsigned modules to load and could fall back on the Secure Boot policy in UEFI. _________________ “Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4157 Location: Bavaria
|
Posted: Wed Feb 21, 2024 1:59 pm Post subject: |
|
|
NathanZachary wrote: | Hmmmm, looking further into the problem, it might be that I don't have 'CONFIG_MODULE_SIG' set. I wonder if that option toggles the availability of the 'sign-file' script? I would imagine that enabling this option by itself (without 'CONFIG_SECURITY_LOCKDOWN_LSM') would still allow for unsigned modules to load and could fall back on the Secure Boot policy in UEFI. |
For this you must enable CONFIG_MODULE_SIG_FORCE. _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
NathanZachary Moderator
Joined: 30 Jan 2007 Posts: 2605
|
Posted: Wed Feb 21, 2024 3:12 pm Post subject: |
|
|
Got it. So, I should be able to check whether 'CONFIG_MODULE_SIG' gives me the `sign-file` script without running the risk of module signatures being enforced. I'll give it a try, and will report my findings. Thank you for confirming. _________________ “Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
Back to top |
|
|
NathanZachary Moderator
Joined: 30 Jan 2007 Posts: 2605
|
Posted: Wed Feb 21, 2024 4:09 pm Post subject: |
|
|
I have confirmed that 'CONFIG_MODULE_SIG' is the necessary kernel option that will build the `sign-file` script under /usr/src/$KERNEL/scripts/. It's also responsible for generating the build-time kernel signing key and the .builtin_trusted_keys keyring (which is built at boot time). _________________ “Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
Back to top |
|
|
|