Linuxer.
全部博文(199)
分类: LINUX
2013-11-21 11:56:31
一、前言
linux内核从3.7 开始加入模块签名检查机制,如果内核选项CONFIG_MODULE_SIG和CONFIG_MODULE_SIG_FORCE打开的话,当加载模块时内核会检查模块的签名,如果签名不存在或者签名内容不一致,会强制退出模块的加载。所以为模块签名就尤为重要。如果是内核选项CONFIG_MODULE_SIG_ALL打开,内核编译模块时会自动为模块签名。否则就要自己对模块签名。
首先我们就要想到用什么签名工具,因为签名机制从3.7 内核才加入,所以为模块签名的资料少之又少,我找了很长时间也没有头绪,网上说的最多的都是openssl来做签名。所以理所当然的我也使用openssl来做签名,但是它是linux内核之外的工具,就算生成签名,你还要手动添加到模块.ko文件最后,还要设置一些内核要检查的固定结构体(例如:signature_module结构),很是麻烦,并且内核的key你拿不到,用的不是内核的可以签名肯定通不过检查。所以这种方法至少我认为不可行。
后来又开始找别的签名工具,但是都不成功,实验了很长时间。但是偶尔查找资料看到一篇外文资料,关于内核签名的。讲的很详细,原来内核签名工具就在linux内核之中,折腾了半天原来解决方法就在旁边,既兴奋又坑爹。给我的教训就是,查资料的时候尽可能的查英文资料,不得不说确实比国内的资料多而且质量要高。
二、下边就奉上这篇英文资料:
Since Linux kernel version 3.7 onwards, support has been added for signed kernel modules. When enabled, the Linux kernel will only load kernel modules that are digitally signed with the proper key. This allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded. Malicious kernel modules are a common method for loading rootkits on a Linux system.
Contents[] |
Enabling support is a matter of toggling a few settings in the Linux kernel configuration. Unless you want to use your own keypair, this is all that has to be done to enable kernel module support.
Module signature verification is a kernel feature, so has to be enabled through the Linux kernel configuration. You can find the necessary options under Enable loadable module support.
--- Enable loadable module support [*] Module signature verification [*] Require modules to be validly signed [*] Automatically sign all modules Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
The option Module signature verification (CONFIG_MODULE_SIG) enables the module signature verification in the Linux kernel. It supports two approaches on signed module support: a rather permissive one and a strict one. By default, the permissive approach is used, which means that the Linux kernel module either has to have a valid signature, or no signature. With the strict approach, a valid signature must be present. In the above example, the strict approach is used by selecting Require modules to be validly signed (CONFIG_MODULE_SIG_FORCE). Another way of enabling this strict approach is to set the kernel boot option enforcemodulesig=1.
When building the Linux kernel, the kernel modules will not be signed automatically unless you select Automatically sign all modules (CONFIG_MODULE_SIG_ALL).
Finally, we need to select the hash algorithm to use with the cryptographic signature. In the above example, we use SHA-512.
When the Linux kernel is building with module signature verification support enabled, then you can use your own keys or have the Linux kernel build infrastructure create a set for you. If you want the Linux kernel build infrastructure to create it for you, just continue as you always do with a make and make modules_install. At the end of the build process, you will notice that signing_key.priv and signing_key.x509 will be available on the root of the Linux kernel sources.
If we want to use our own keys, you can use openssl to create a key pair (private key and public key). The following command, taken from kernel/Makefile, creates such a key pair.
[ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = GenFic CN = Kernel Signing Key emailAddress = server.support@genfic.com [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid
The resulting files need to be stored as signing_key.x509 and signing_key.priv in the root of the Linux kernel source tree.
The public key part will be build inside the Linux kernel. If you configured the kernel to sign modules, this signing will take place during the make modules_install part.
Reboot with the newly configured kernel. In the output of dmesg you should be able to confirm that the proper certificate is loaded:
The kernel modules have the digital signature appended at the end. A simple hexdump can confirm if a signature is present or not:
The string ~Module signature appended~ at the end confirms that a signature is present. Of course, it does not confirm that the signature is valid or not.
To remove the signature, we can use the strip command:
If we try to load this module now, we get a failure:
This confirms that modules without a signature are not loaded.
Once the kernel boots and we have validated that the signed kernel module support works, it is important to correctly handle the keys themselves.
The private key, stored as signing_key.priv, needs to be moved to a secure location (unless you will be creating new keys for new kernels, in which case the file can be removed). Do not keep it at /usr/src/linux on production systems as malware can then easily use this key to sign the malicious kernel modules (such as rootkits) and compromise the system further.
If you ever need to manually sign a kernel module, you can use the scripts/sign-file script available in the Linux kernel source tree. It requires four arguments:
In this case, the key pair does not need to be named signing_file.priv and such, nor do they need to be in the root of the Linux kernel source tree location.
If we create a kernel package through make tarbz2-pkg, the modules in it will be signed already so we do not need to manually sign them afterwards. The signing keys themselves are not distributed with it.
In Booting a self-signed Linux kernel Greg Kroah-Hartman describes how to boot a self-signed Linux kernel from EFI. As having signed kernel module support is only secure if the Linux kernel is trusted, this is an important (and related) feature to work with.