内核签名机制
来源:互联网 发布:移动怎么接网络电视 编辑:程序博客网 时间:2024/04/30 11:58
From: http://blog.csdn.net/u011923747/article/details/18619545
Signed kernel module support
Since Linux kernel version 3.7 onwards, support has been added for signed kernel modules. When enabled, the Linux kernel will only load kernel modules that are digitally signed with the proper key. This allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded. Malicious kernel modules are a common method for loading rootkits on a Linux system.
Contents
[hide]- 1Enabling module signature verification
- 1.1Configuring module signature verification
- 1.2Building the kernel with proper keys
- 1.3Validating module signature support
- 2Administering kernel module signatures
- 2.1Protecting the private key
- 2.2Manually signing modules
- 2.3Distributing the kernel and modules
- 3More resources
Enabling module signature verification
Enabling support is a matter of toggling a few settings in the Linux kernel configuration. Unless you want to use your own keypair, this is all that has to be done to enable kernel module support.
Configuring module signature verification
Module signature verification is a kernel feature, so has to be enabled through the Linux kernel configuration. You can find the necessary options underEnable loadable module support.
--- Enable loadable module support[*] Module signature verification[*] Require modules to be validly signed[*] Automatically sign all modules Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
The option Module signature verification (CONFIG_MODULE_SIG) enables the module signature verification in the Linux kernel. It supports two approaches on signed module support: a rather permissive one and a strict one. By default, the permissive approach is used, which means that the Linux kernel module either has to have a valid signature, or no signature. With the strict approach, a valid signature must be present. In the above example, the strict approach is used by selectingRequire modules to be validly signed (CONFIG_MODULE_SIG_FORCE). Another way of enabling this strict approach is to set the kernel boot optionenforcemodulesig=1
.
When building the Linux kernel, the kernel modules will not be signed automatically unless you selectAutomatically sign all modules (CONFIG_MODULE_SIG_ALL).
Finally, we need to select the hash algorithm to use with the cryptographic signature. In the above example, we use SHA-512.
Building the kernel with proper keys
When the Linux kernel is building with module signature verification support enabled, then you can use your own keys or have the Linux kernel build infrastructure create a set for you. If you want the Linux kernel build infrastructure to create it for you, just continue as you always do with a make
and make modules_install
. At the end of the build process, you will notice thatsigning_key.priv and signing_key.x509 will be available on the root of the Linux kernel sources.
If we want to use our own keys, you can use openssl
to create a key pair (private key and public key). The following command, taken fromkernel/Makefile, creates such a key pair.
[ req ]default_bits = 4096distinguished_name = req_distinguished_nameprompt = nostring_mask = utf8onlyx509_extensions = myexts [ req_distinguished_name ]O = GenFicCN = Kernel Signing KeyemailAddress = server.support@genfic.com [ myexts ]basicConstraints=critical,CA:FALSEkeyUsage=digitalSignaturesubjectKeyIdentifier=hashauthorityKeyIdentifier=keyid
The resulting files need to be stored as signing_key.x509 and signing_key.priv in the root of the Linux kernel source tree.
The public key part will be build inside the Linux kernel. If you configured the kernel to sign modules, this signing will take place during themake modules_install
part.
Validating module signature support
Reboot with the newly configured kernel. In the output of dmesg
you should be able to confirm that the proper certificate is loaded:
The kernel modules have the digital signature appended at the end. A simple hexdump
can confirm if a signature is present or not:
The string ~Module signature appended~
at the end confirms that a signature is present. Of course, it does not confirm that the signature is valid or not.
To remove the signature, we can use the strip
command:
If we try to load this module now, we get a failure:
This confirms that modules without a signature are not loaded.
Administering kernel module signatures
Once the kernel boots and we have validated that the signed kernel module support works, it is important to correctly handle the keys themselves.
Protecting the private key
The private key, stored as signing_key.priv, needs to be moved to a secure location (unless you will be creating new keys for new kernels, in which case the file can be removed). Do not keep it at/usr/src/linux on production systems as malware can then easily use this key to sign the malicious kernel modules (such as rootkits) and compromise the system further.
Manually signing modules
If you ever need to manually sign a kernel module, you can use the scripts/sign-file script available in the Linux kernel source tree. It requires four arguments:
- The hash algorithm to use, such as
sha512
- The private key location
- The certificate (which includes the public key) location
- The kernel module to sign
In this case, the key pair does not need to be named signing_file.priv and such, nor do they need to be in the root of the Linux kernel source tree location.
Distributing the kernel and modules
If we create a kernel package through make tarbz2-pkg
, the modules in it will be signed already so we do not need to manually sign them afterwards. The signing keys themselves are not distributed with it.
More resources
In Booting a self-signed Linux kernel Greg Kroah-Hartman describes how to boot a self-signed Linux kernel from EFI. As having signed kernel module support is only secure if the Linux kernel is trusted, this is an important (and related) feature to work with.
- Server and Security
原文链接:http://wiki.gentoo.org/wiki/Signed_kernel_module_support
其他参考文章:
1、How to Use Signed Kernel Modules
2、http://www.linuxquestions.org/questions/linux-newbie-8/module-verification-failed-signature-and-or-required-key-missing-tainting-kernel-4175476456/
- 内核签名机制
- 内核签名机制
- Signed kernel module support——内核签名机制
- 内核驱动签名指南
- linux内核模块签名
- Android中的签名机制
- Android中的签名机制
- Android中的签名机制
- Android签名机制
- Android APK 签名机制
- Android签名机制
- Android中的签名机制
- Android中的签名机制
- Android签名机制
- Android签名机制
- Android中的签名机制
- Android签名机制
- [转]Android签名机制
- 中文分词入门之最大匹配法
- Android ImageView 显示网络图片并下载保存
- linux系统下安装两个或多个tomcat
- 韦博士粉底液自然修饰 提升女性独有气质
- Android的Activity之间的值传递
- 内核签名机制
- ubuntu aptitude命令使用总结
- list set和 map的区别
- 摘抄一些关于网络开发的帖子
- openwrt MW4530R 用物理按键恢复系统
- 【转】std::string.assign()的用法
- 常用JDBC连接数据库方式
- 10个精妙的Java编码最佳实践
- 国内数据库技术大牛:牛新庄博士自传(附:项目经验)