I’ve built a kernel in tmpfs, then I rebooted.
Now I see a message when I compile the 3rd party module,
NO SIGN [M] XXXX.ko
How can I get it signed? The key pair generated during
rpmbuild is lost already I guess
Here is Solutions:
We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.
This was surprisingly lacking in documentation. I found this file, module-signing.txt, which is part of the RHEL6 Kernel Documentation. In this document it shows how to generate signing keys, assuming you want to sign all your modules as part of a kernel build:
cat >genkey <<EOF %pubring kernel.pub %secring kernel.sec Key-Type: DSA Key-Length: 512 Name-Real: A. N. Other Name-Comment: Kernel Module GPG key %commit EOF make scripts/bin2c gpg --homedir . --batch --gen-key genkey gpg --homedir . --export --keyring kernel.pub keyname | scripts/bin2c ksign_def_public_key __initdata >crypto/signature/key.h
Also the article from Linux Journal titled: Signed Kernel Modules has some good details and steps on how to do pieces of this, but I couldn’t find the user space tools,
mod that it references.
You might want to poke around Greg Kroah’s site, you may find something useful in one of his presentations.
Go to the kernel source directory and do (example):
./scripts/sign-file sha512 ./signing_key.priv ./signing_key.x509 /lib/modules/3.10.1/kernel/drivers/char/my_module.ko
Check what is the digest algorithm your kernel is using by opening .config and reading it in
CONFIG_MODULE_SIG config values:
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512"
Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂