Re: [PATCH v2] Add Documentation/module-signing.txt file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/06/13 08:14, James Solner wrote:
> This patch adds the Documentation/module-signing.txt file that is
> currently missing from the Documentation directory. The init/Kconfig
> file references the Documentation/module-signing.txt file to explain
> how kernel module signing works. This patch supplies this documentation. 
> 
> The initial version of this patch provided old documentation
> that was a mixture of the old RHEL style GPG signing. 
> Version 1 updated the documentation to described the current
> implementation using x509 certificate signing. 
> This new version, version 2, fixes grammar/spelling mistakes and removes
> trailing white spaces. 
> 
> Signed-off-by: James Solner <solner@xxxxxxxxxxxxxxxxxx>
> 
> ---
>  Documentation/module-signing.txt | 115 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 115 insertions(+)
>  create mode 100644 Documentation/module-signing.txt
> 
> diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
> new file mode 100644
> index 0000000..29f8ec7
> --- /dev/null
> +++ b/Documentation/module-signing.txt
> @@ -0,0 +1,115 @@
> +		==============================
> +		KERNEL MODULE SIGNING FACILITY
> +		==============================
> +
> +The module signing facility applies cryptographic signature checking
> +when loading modules by checking its signature against a public key.
> +This allows increased kernel security by disallowing loading unsigned
> +modules or modules signed with an invalid key. Module signing increases
> +the kernel security and reduces the odds of malicious modules being
> +loading into Linux operating system.
> +
> +This facility uses X.509 ITU-T standard to perform the cryptographic
> +work and to determines the format of the signatures and key data. The

               determine

> +key type used is RSA and the possible hash algorithms that can be
> +used are SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. These hash
> +algorithms can be selected during the kernel configuration build:
> +
> +	CONFIG_SIG_SHA1
> +	CONFIG_SIG_SHA224
> +	CONFIG_SIG_SHA256
> +	CONFIG_SIG_SHA384
> +	CONFIG_SIG_SHA512
> +
> +The module signing facility is a kernel feature and is enabled through the
> +Linux kernel configuration builder. In the "Enable Loadable Module Support"
> +section of the kernel configuration, the CONFIG_MODULE_SIG symbol is enabled
> +to activate this feature. This feature supports two options for sign

                                                                   signed

> +module support: "permissive" and "restrictive".  The default is the
> +"permissive" option and allows a module with a valid signature to be loaded.
> +If the signature is invalid, the module is still loaded, but the kernel is
> +marked as "tainted". The "restrictive" option (CONFIG_MODULE_SIG_FORCE)
> +requires a valid signature before the module can be loaded.
> +
> +Modules can be sign using two methodes: "automatically" or "manually".

                  signed         methods:

> +The CONFIG_MODULE_SIG_ALL symbol will automatically sign the modules
> +during the "modules_install" part of the kernel build. A module can also
> +be signed manually using the scripts/sign-file tool.
> +
> +================================================
> +AUTOMATICALLY GENERATING PUBLIC AND PRIVATE KEYS
> +================================================
> +As part of "modules_install" kernel build, the Linux kernel build
> +infrastructure will automatically create two files in the root node
> +of the Linux kernel source tree. These files contain the public/private
> +keys and are called "signing_key.x509" and "signing_key.priv".
> +The public key is built into the kernel and used to verify modules'
> +signatures when the modules are loaded.
> +
> +=================================================
> +MANUALLY GENERATING PUBLIC AND PRIVATE KEYS
> +=================================================
> +To manually generate the key private/public files, use the x509.genkey key
> +generation configuration file in the root node of the Linux kernel
> +sources tree and the openssl command. The following is an example to
> +generate the public/private key files:
> +
> +	openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
> +	   -config x509.genkey -outform DER -out signing_key.x509 \
> +	   -keyout signing_key.priv
> +
> +=========================
> +MANUALLY SIGNING MODULES
> +=========================
> +To manually sign a module, use the scripts/sign-file tool available in
> +the Linux kernel source tree. The script requires 4 arguments:
> +
> +	1. The hash algorithm (e.g., sha256)
> +	2. The private key
> +	3. The public key
> +	4. The kernel module to be signed
> +
> +The following is an example to sign a kernel module:
> +
> +	scripts/sign-file sha512 kernel-signkey.priv \
> +	    kernel-signkey.x509 module.ko
> +
> +============================
> +SIGNED MODULES AND STRIPPING
> +============================
> +
> +A signed module has a digital signature appended at the end. The string
> +"~Module signature appended~." at the end of the module's file confirms
> +that a signature is present. But, it does not confirm that the
> +signature is valid!
> +
> +Signed modules are BRITTLE as the signature is outside of the defined
> +ELF container.  Thus they MAY NOT be stripped once the signature is computed
> +and attached. Note the entire module is the signed payload, including
> +all the debug information present at the time of signing.
> +
> +======================
> +LOADING SIGNED MODULES
> +======================
> +
> +Modules are loaded with insmod, exactly as for unsigned modules.
> +The signature checker checks at the end of the file for the signature
> +marker and applies signature checking.
> +
> +=========================================
> +NON-VALID SIGNATURES AND UNSIGNED MODULES
> +=========================================
> +
> +If CONFIG_MODULE_SIG_FORCE is enabled or enforcemodulesig=1 is supplied on
> +the kernel command line, the kernel will only load validly signed modules
> +for which it has a public key.  Otherwise, it will also load modules that are
> +unsigned.  Any module for which the kernel has a key, but which proves to have
> +a signature mismatch will not be permitted to load.
> +
> +=========================================
> +ADMINISTERING/PROTECTING THE PRIVATE KEY
> +=========================================
> +Since the private key is used to sign modules, malware can use
> +the private key to sign modules and compromise the operating system.
> +The private key must be moved to a secure location and not keep in

                                                              kept

> +the root node of the kernel source tree.
> 


-- 
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux