6

I've built a kernel in tmpfs, then I rebooted.

Now I see a message when I compile the 3rd party module,

NO SIGN [M] XXXX.ko

How can I get it signed? The key pair generated during rpmbuild is lost already I guess

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
daisy
  • 53,527
  • 78
  • 236
  • 383

2 Answers2

10

This was surprisingly lacking in documentation. I found this file, module-signing.txt, which is part of the RHEL6 Kernel Documentation. In this document it shows how to generate signing keys, assuming you want to sign all your modules as part of a kernel build:

cat >genkey <<EOF
%pubring kernel.pub
%secring kernel.sec
Key-Type: DSA
Key-Length: 512
Name-Real: A. N. Other
Name-Comment: Kernel Module GPG key
%commit
EOF
make scripts/bin2c
gpg --homedir . --batch --gen-key genkey
gpg --homedir . --export --keyring kernel.pub keyname |
 scripts/bin2c ksign_def_public_key __initdata >crypto/signature/key.h

Also the article from Linux Journal titled: Signed Kernel Modules has some good details and steps on how to do pieces of this, but I couldn't find the user space tools, extract_pkey and mod that it references.

You might want to poke around Greg Kroah's site, you may find something useful in one of his presentations.

References

slm
  • 363,520
  • 117
  • 767
  • 871
  • Do I need to configure the system to trust the cert? – daisy Dec 16 '16 at 09:43
  • @warl0ck - all I know about signing them was added to this answer. I'd never even contemplated signing them until you asked this Q. – slm Dec 16 '16 at 13:52
  • I found this link very useful. https://github.com/Canonical-kernel/Ubuntu-kernel/blob/master/Documentation/module-signing.txt Looks like there's no way to install a module to a prebuilt kernel, if it's signed by a 3rdparty .. – daisy Dec 16 '16 at 14:46
1

Go to the kernel source directory and do (example):

./scripts/sign-file sha512 ./signing_key.priv ./signing_key.x509 /lib/modules/3.10.1/kernel/drivers/char/my_module.ko

Check what is the digest algorithm your kernel is using by opening .config and reading it in CONFIG_MODULE_SIG config values:

CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
Sari
  • 53
  • 3
P Royo
  • 11
  • 1