KERNEL MODULE SIGNING IN RHEL-7
Hi,
I have done the following steps to insert the signed module in RHEL7 and for this I have refered the document at the following location: /usr/share/doc/kernel-doc-uname-r/documentation/module-signing.txt
Step1: The Key generation configuration file named x509.genkey is used which has the following content in it:
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = myexts
[ req_distinguished_name ]
O = Vendor
CN = Prodult_Name signing key
emailAddress = secalert@redhat.com
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
Step2: The public key (x509.genkey) and private key (signing_key.priv) is generated in the same location (/home/directory_name) considering sha256 algorithm and using the following command:
“openssl req -new -nodes -utf8 –sha256 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.priv”
Step3: I have then signed my module using following command:
"/usr/src/kernels/3.10.0-54.0.1.el7.x86_64/scripts/sign-file sha256 ./signing_key.priv ./signing_key.x509 module.ko”
Step4: Modules signed in previous step are verified via following command:
“hexdump -C module.ko | tail”
Sample output for step 4:
000c2000 39 29 40 fa 5d 9c 46 b3 6c 7c b8 72 1b 9a 6e 97 |9)@.].F.l|.r..n.|
000c2010 21 04 d9 52 8a de 70 33 c3 a9 b0 b1 d5 ac 7a a7 |!..R..p3......z.|
000c2020 81 07 02 31 a9 11 92 df c0 3c 76 ee 86 41 6f 62 |...1.....<v..Aob|
000c2030 3e db 94 b1 9b 0e 87 8b e1 59 df 40 21 7b 69 4b |>........Y.@!{iK|
000c2040 57 6c da 9d 2d 39 91 3d c1 63 c6 6e 8d b0 99 e8 |Wl..-9.=.c.n....|
000c2050 0b a5 85 bd 32 f4 5c a7 e6 5b 05 ed f0 f1 01 04 |....2...[......|
000c2060 01 28 14 00 00 00 00 00 02 02 7e 4d 6f 64 75 6c |.(........~Modul|
000c2070 65 20 73 69 67 6e 61 74 75 72 65 20 61 70 70 65 |e signature appe|
000c2080 6e 64 65 64 7e 0a |nded~.|
000c2086
Step5 : Modules signed in previous step are also verified via following command:
“modinfo module”
Sample output for step 5:
filename: /lib/modules/3.10.0-54.0.1.el7.x86_64/extra/vendor/Product_Name/module.ko
license: Proprietary: Contact vendor for any bugs
srcversion: 4FF1D6CB76EB9CD76905CBD
depends:
vermagic: 3.10.0 SMP mod_unload modversions
signer: Product_Name signing key
sig_key: BC:67:19:71:1F:2C:59:36:D3:31:8A:A7:11:FC:B1:F0:C9:89:6A:12
sig_hashalgo: sha256
Step6: The original module is replaced with signed modules created in step4.
Step7: System is rebooted.
After system reboot, when I check syslogs the following warning is displayed:
kernel: [ 692.292998] module_name: module license 'Proprietary: Contact Vendor for any bugs' taints kernel.
kernel: [ 692.293043] Disabling lock debugging due to kernel taint
kernel: [ 692.293557] module_name: module verification failed: signature and/or required key missing - tainting kernel
Please let me know if I am following any wrong procedure in module-signing and inserting the signed module along with exact procedure to successfully insert the signed module.
