Lines Matching +full:system +full:- +full:on +full:- +full:module
1 Kernel module signing facility
2 ------------------------------
6 .. - Overview.
7 .. - Configuring module signing.
8 .. - Generating signing keys.
9 .. - Public keys in the kernel.
10 .. - Manually signing modules.
11 .. - Signed modules and stripping.
12 .. - Loading signed modules.
13 .. - Non-valid signatures and unsigned modules.
14 .. - Administering/protecting the private key.
21 The kernel module signing facility cryptographically signs modules during
22 installation and then checks the signature upon loading the module. This
24 or modules signed with an invalid key. Module signing increases security by
25 making it harder to load a malicious module into the kernel. The module
29 This facility uses X.509 ITU-T standard certificates to encode the public keys
33 hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, and
34 SHA-512 (the algorithm is selected by data in the signature).
38 Configuring module signing
41 The module signing facility is enabled by going to the
42 :menuselection:`Enable Loadable Module Support` section of
43 the kernel configuration and turning on::
45 CONFIG_MODULE_SIG "Module signature verification"
52 This specifies how the kernel should deal with a module that has a
53 signature for which the key is not known or a module that is unsigned.
60 If this is on (ie. "restrictive"), only modules that have a valid
64 Irrespective of the setting here, if the module has a signature block that
71 If this is on then modules will be automatically signed during the
75 scripts/sign-file
84 ``CONFIG_MODULE_SIG_SHA1`` :menuselection:`Sign modules with SHA-1`
85 ``CONFIG_MODULE_SIG_SHA224`` :menuselection:`Sign modules with SHA-224`
86 ``CONFIG_MODULE_SIG_SHA256`` :menuselection:`Sign modules with SHA-256`
87 ``CONFIG_MODULE_SIG_SHA384`` :menuselection:`Sign modules with SHA-384`
88 ``CONFIG_MODULE_SIG_SHA512`` :menuselection:`Sign modules with SHA-512`
92 than being a module) so that modules signed with that algorithm can have
96 (4) :menuselection:`File name or PKCS#11 URI of module signing key`
103 and its corresponding X.509 certificate in PEM form, or — on systems where
113 (5) :menuselection:`Additional X.509 keys for default system keyring`
116 This option can be set to the filename of a PEM-encoded file containing
117 additional certificates which will be included in the system keyring by
120 Note that enabling module signing adds a dependency on the OpenSSL devel
169 openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
170 -config x509.genkey -outform PEM -out kernel_key.pem \
171 -keyout kernel_key.pem
187 223c7853 I------ 1 perm 1f030000 0 0 keyring .builtin_trusted_keys: 1
188 …302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora kernel signing key: d69a84e6bce3…
191 Beyond the public key generated specifically for module signing, additional
192 trusted certificates can be provided in a PEM-encoded file referenced by the
200 keyctl padd asymmetric "" [.builtin_trusted_keys-ID] <[key-file]
215 To manually sign a module, use the scripts/sign-file tool available in
221 4. The kernel module to be signed
223 The following is an example to sign a kernel module::
225 scripts/sign-file sha512 kernel-signkey.priv \
226 kernel-signkey.x509 module.ko
240 A signed module has a digital signature simply appended at the end. The string
241 ``~Module signature appended~.`` at the end of the module's file confirms that a
246 attached. Note the entire module is the signed payload, including any and all
260 Non-valid signatures and unsigned modules
263 If ``CONFIG_MODULE_SIG_FORCE`` is enabled or module.sig_enforce=1 is supplied on
266 unsigned. Any module for which the kernel has a key, but which proves to have
269 Any module that has an unparseable signature will be rejected.
277 the private key to sign modules and compromise the operating system. The
282 configurations, you must ensure that the module version information is
283 sufficient to prevent loading a module into a different kernel. Either