Sign a module after kernel compilation

I’ve built a kernel in tmpfs, then I rebooted.

Now I see a message when I compile the 3rd party module,

NO SIGN [M] XXXX.ko

How can I get it signed? The key pair generated during rpmbuild is lost already I guess

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

This was surprisingly lacking in documentation. I found this file, module-signing.txt, which is part of the RHEL6 Kernel Documentation. In this document it shows how to generate signing keys, assuming you want to sign all your modules as part of a kernel build:

cat >genkey <<EOF
%pubring kernel.pub
%secring kernel.sec
Key-Type: DSA
Key-Length: 512
Name-Real: A. N. Other
Name-Comment: Kernel Module GPG key
%commit
EOF
make scripts/bin2c
gpg --homedir . --batch --gen-key genkey
gpg --homedir . --export --keyring kernel.pub keyname |
 scripts/bin2c ksign_def_public_key __initdata >crypto/signature/key.h

Also the article from Linux Journal titled: Signed Kernel Modules has some good details and steps on how to do pieces of this, but I couldn’t find the user space tools, extract_pkey and mod that it references.

You might want to poke around Greg Kroah’s site, you may find something useful in one of his presentations.

References

Solution 2

Go to the kernel source directory and do (example):

./scripts/sign-file sha512 ./signing_key.priv ./signing_key.x509 /lib/modules/3.10.1/kernel/drivers/char/my_module.ko

Check what is the digest algorithm your kernel is using by opening .config and reading it in CONFIG_MODULE_SIG config values:

CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply