> <SwifT> next on the agenda is to check the kernel module signature based protection
> <SwifT> which, when I get a 3.10.x kernel to boot, should be fairly easy to document
It works - I have enabled module signing in Liberté Linux (with custom
certificates), and tested that modified modules are indeed rejected.
Note that kernel's makefiles are still inconsistent wrt. module
signing: you can use MODSECKEY / MODPUBKEY to sign modules with
non-throwaway certs during "make modules_install", but these variables
will be ignored when actually bundling certs into the kernel [1].
To use non-trivial custom certificates with pre-3.10 kernels, you
would need to backport the patch in [2].
Non-kernel modules need to be signed manually (see bug #447352), e.g.:
find ${mainmod} -mindepth 2 ! -path "${mainmod}/kernel/*" -type f
-name '*.ko' | \
while read mod; do
if [ -z "`modinfo -F sig_key ${mod}`" ]; then
${kernsrc}/scripts/sign-file ${sighash} ${sb_kmod}.key
${sb_kmod}.der "${mod}"
fi
done
[1]
https://bugs.gentoo.org/show_bug.cgi?id=447352#c9 [2]
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04b00bdb41d0fd8d9cf3b146e334369cc2b0acdc --
Maxim Kammerer
Liberté Linux:
http://dee.su/liberte
meeting-2013-08-29_20:00UTC.log (27.1 KB)