Module Signing and Secure Boot

Latest response

I’m building a new device driver and use a Symantec EV certificate to sign the driver and installer for the Windows environment. However, it’s unclear what the proper procedure is for the RHEL environment. I understand and perform self-signing during development using the steps listed in the Admin Guide but what is the standard signing practice when publishing a third-party kernel module for RHEL customers? Your experience or insight is appreciated.
1) Is self-signing my only option?
2) DKMS looks like a nice solution for kernel modules. Do you offer both DKMS (results in unsigned ko) and signed modules to the RHEL customers?
3) Is there an acceptable method to eliminate the “tainting kernel” message for a signed third-party kernel module?
4) For the case when the RHEL customer is using Secure Boot, must I provide customer instructions for importing the public key associated with the third-party kernel module into the Authorized Signature database, or is there some way to map (cross-cert) to the default Red Hat key? (note: my uefi option-rom is in the process of being signed by Microsoft....hopefully)

Responses

Happy to share our experience with you. We run a 3rd party repo (elrepo.org) providing 3rd party drivers as kABI-tracking kmod packages (better than DKMS in our opinion for a number of reasons). We self sign our kernel modules.

Addressing your specific questions as best I can:

1) We self sign as that's the only option available to us.

2) We prefer the kmod format over DKMS. I don't see how offering signed DKMS modules would be possible. DKMS modules are compiled at install time on the end users system so the end user would need access to your private signing key to sign the built module.

We build our kmod packages and sign the kernel module(s) during the build process with our private key on the build host before they are packaged.

You can see our SPEC file template here that shows the code we use to sign the modules:

https://github.com/elrepo/templates/blob/master/el7/template-kmod.spec

# Sign the modules(s)
%if %{?_with_modsign:1}%{!?_with_modsign:0}
# If the module signing keys are not defined, define them here.
%{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}
%{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}
for module in $(find %{buildroot} -type f -name \*.ko);
do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
sha256 %{privkey} %{pubkey} $module;
done
%endif

Note: if stripping the module, you MUST do so before signing as stripping will remove the signature.

3) Not as far as I'm aware. Below is the relevant code from kernel/module.c. If the module signature check fails for any reason (e.g, the public key is not available or the check fails) then the kernel will print that message. You'd need to patch the kernel to suppress it.

#ifdef CONFIG_MODULE_SIG
    mod->sig_ok = info->sig_ok;
    if (!mod->sig_ok) {
        printk_once(KERN_NOTICE
                "%s: module verification failed: signature and/or"
                " required key missing - tainting kernel\n",
                mod->name);
        add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_STILL_OK);
    }
#endif

4) We do as you suggest in the first part of your question - we provide end users with information on how to import our Secure Boot public key into their Machine Owner Key (MOK) list:

http://elrepo.org/tiki/SecureBootKey

Hopefully someone can give you more insight into the parts of your questions I'm unable to address.

Fixed the formatting issues above :-)

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.