signed-kernel-modules.html

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2022-09-28 Wed 14:25 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Signed kernel modules</title>
<meta name="author" content="Wade Mealing" />
<meta name="generator" content="Org Mode" />
<style>
  #content { max-width: 60em; margin: auto; }
  .title  { text-align: center;
             margin-bottom: .2em; }
  .subtitle { text-align: center;
              font-size: medium;
              font-weight: bold;
              margin-top:0; }
  .todo   { font-family: monospace; color: red; }
  .done   { font-family: monospace; color: green; }
  .priority { font-family: monospace; color: orange; }
  .tag    { background-color: #eee; font-family: monospace;
            padding: 2px; font-size: 80%; font-weight: normal; }
  .timestamp { color: #bebebe; }
  .timestamp-kwd { color: #5f9ea0; }
  .org-right  { margin-left: auto; margin-right: 0px;  text-align: right; }
  .org-left   { margin-left: 0px;  margin-right: auto; text-align: left; }
  .org-center { margin-left: auto; margin-right: auto; text-align: center; }
  .underline { text-decoration: underline; }
  #postamble p, #preamble p { font-size: 90%; margin: .2em; }
  p.verse { margin-left: 3%; }
  pre {
    border: 1px solid #e6e6e6;
    border-radius: 3px;
    background-color: #f2f2f2;
    padding: 8pt;
    font-family: monospace;
    overflow: auto;
    margin: 1.2em;
  }
  pre.src {
    position: relative;
    overflow: auto;
  }
  pre.src:before {
    display: none;
    position: absolute;
    top: -8px;
    right: 12px;
    padding: 3px;
    color: #555;
    background-color: #f2f2f299;
  }
  pre.src:hover:before { display: inline; margin-top: 14px;}
  /* Languages per Org manual */
  pre.src-asymptote:before { content: 'Asymptote'; }
  pre.src-awk:before { content: 'Awk'; }
  pre.src-authinfo::before { content: 'Authinfo'; }
  pre.src-C:before { content: 'C'; }
  /* pre.src-C++ doesn't work in CSS */
  pre.src-clojure:before { content: 'Clojure'; }
  pre.src-css:before { content: 'CSS'; }
  pre.src-D:before { content: 'D'; }
  pre.src-ditaa:before { content: 'ditaa'; }
  pre.src-dot:before { content: 'Graphviz'; }
  pre.src-calc:before { content: 'Emacs Calc'; }
  pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
  pre.src-fortran:before { content: 'Fortran'; }
  pre.src-gnuplot:before { content: 'gnuplot'; }
  pre.src-haskell:before { content: 'Haskell'; }
  pre.src-hledger:before { content: 'hledger'; }
  pre.src-java:before { content: 'Java'; }
  pre.src-js:before { content: 'Javascript'; }
  pre.src-latex:before { content: 'LaTeX'; }
  pre.src-ledger:before { content: 'Ledger'; }
  pre.src-lisp:before { content: 'Lisp'; }
  pre.src-lilypond:before { content: 'Lilypond'; }
  pre.src-lua:before { content: 'Lua'; }
  pre.src-matlab:before { content: 'MATLAB'; }
  pre.src-mscgen:before { content: 'Mscgen'; }
  pre.src-ocaml:before { content: 'Objective Caml'; }
  pre.src-octave:before { content: 'Octave'; }
  pre.src-org:before { content: 'Org mode'; }
  pre.src-oz:before { content: 'OZ'; }
  pre.src-plantuml:before { content: 'Plantuml'; }
  pre.src-processing:before { content: 'Processing.js'; }
  pre.src-python:before { content: 'Python'; }
  pre.src-R:before { content: 'R'; }
  pre.src-ruby:before { content: 'Ruby'; }
  pre.src-sass:before { content: 'Sass'; }
  pre.src-scheme:before { content: 'Scheme'; }
  pre.src-screen:before { content: 'Gnu Screen'; }
  pre.src-sed:before { content: 'Sed'; }
  pre.src-sh:before { content: 'shell'; }
  pre.src-sql:before { content: 'SQL'; }
  pre.src-sqlite:before { content: 'SQLite'; }
  /* additional languages in org.el's org-babel-load-languages alist */
  pre.src-forth:before { content: 'Forth'; }
  pre.src-io:before { content: 'IO'; }
  pre.src-J:before { content: 'J'; }
  pre.src-makefile:before { content: 'Makefile'; }
  pre.src-maxima:before { content: 'Maxima'; }
  pre.src-perl:before { content: 'Perl'; }
  pre.src-picolisp:before { content: 'Pico Lisp'; }
  pre.src-scala:before { content: 'Scala'; }
  pre.src-shell:before { content: 'Shell Script'; }
  pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
  /* additional language identifiers per "defun org-babel-execute"
       in ob-*.el */
  pre.src-cpp:before  { content: 'C++'; }
  pre.src-abc:before  { content: 'ABC'; }
  pre.src-coq:before  { content: 'Coq'; }
  pre.src-groovy:before  { content: 'Groovy'; }
  /* additional language identifiers from org-babel-shell-names in
     ob-shell.el: ob-shell is the only babel language using a lambda to put
     the execution function name together. */
  pre.src-bash:before  { content: 'bash'; }
  pre.src-csh:before  { content: 'csh'; }
  pre.src-ash:before  { content: 'ash'; }
  pre.src-dash:before  { content: 'dash'; }
  pre.src-ksh:before  { content: 'ksh'; }
  pre.src-mksh:before  { content: 'mksh'; }
  pre.src-posh:before  { content: 'posh'; }
  /* Additional Emacs modes also supported by the LaTeX listings package */
  pre.src-ada:before { content: 'Ada'; }
  pre.src-asm:before { content: 'Assembler'; }
  pre.src-caml:before { content: 'Caml'; }
  pre.src-delphi:before { content: 'Delphi'; }
  pre.src-html:before { content: 'HTML'; }
  pre.src-idl:before { content: 'IDL'; }
  pre.src-mercury:before { content: 'Mercury'; }
  pre.src-metapost:before { content: 'MetaPost'; }
  pre.src-modula-2:before { content: 'Modula-2'; }
  pre.src-pascal:before { content: 'Pascal'; }
  pre.src-ps:before { content: 'PostScript'; }
  pre.src-prolog:before { content: 'Prolog'; }
  pre.src-simula:before { content: 'Simula'; }
  pre.src-tcl:before { content: 'tcl'; }
  pre.src-tex:before { content: 'TeX'; }
  pre.src-plain-tex:before { content: 'Plain TeX'; }
  pre.src-verilog:before { content: 'Verilog'; }
  pre.src-vhdl:before { content: 'VHDL'; }
  pre.src-xml:before { content: 'XML'; }
  pre.src-nxml:before { content: 'XML'; }
  /* add a generic configuration mode; LaTeX export needs an additional
     (add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
  pre.src-conf:before { content: 'Configuration File'; }

  table { border-collapse:collapse; }
  caption.t-above { caption-side: top; }
  caption.t-bottom { caption-side: bottom; }
  td, th { vertical-align:top;  }
  th.org-right  { text-align: center;  }
  th.org-left   { text-align: center;   }
  th.org-center { text-align: center; }
  td.org-right  { text-align: right;  }
  td.org-left   { text-align: left;   }
  td.org-center { text-align: center; }
  dt { font-weight: bold; }
  .footpara { display: inline; }
  .footdef  { margin-bottom: 1em; }
  .figure { padding: 1em; }
  .figure p { text-align: center; }
  .equation-container {
    display: table;
    text-align: center;
    width: 100%;
  }
  .equation {
    vertical-align: middle;
  }
  .equation-label {
    display: table-cell;
    text-align: right;
    vertical-align: middle;
  }
  .inlinetask {
    padding: 10px;
    border: 2px solid gray;
    margin: 10px;
    background: #ffffcc;
  }
  #org-div-home-and-up
   { text-align: right; font-size: 70%; white-space: nowrap; }
  textarea { overflow-x: auto; }
  .linenr { font-size: smaller }
  .code-highlighted { background-color: #ffff00; }
  .org-info-js_info-navigation { border-style: none; }
  #org-info-js_console-label
    { font-size: 10px; font-weight: bold; white-space: nowrap; }
  .org-info-js_search-highlight
    { background-color: #ffff00; color: #000000; font-weight: bold; }
  .org-svg { width: 90%; }
</style>
<link rel="stylesheet" href="tufte.css" type="text/css" />
<meta http-equiv="Content-Security-Policy"  content="default-src 'self'; img-src https://*; child-src 'none';">
</head>
<body>
<div id="content" class="content">
<h1 class="title">Signed kernel modules</h1>
<div id="table-of-contents" role="doc-toc">
<h2>Table of Contents</h2>
<div id="text-table-of-contents" role="doc-toc">
<ul>
<li><a href="#orgcb0fc20">What is a “signed” kernel module?</a></li>
<li><a href="#org3f7b9b5">How is it signed ?</a></li>
<li><a href="#org27c888b">Kernel modules information.</a>
<ul>
<li><a href="#orgce4a446">Module location</a></li>
<li><a href="#org6634bda">Loading kernel modules.</a></li>
<li><a href="#org7ce11b4">The signature</a></li>
</ul>
</li>
<li><a href="#org29ae707">Source</a></li>
<li><a href="#org45c0cd7">Additional Resources:</a></li>
</ul>
</div>
</div>


<div id="outline-container-orgcb0fc20" class="outline-2">
<h2 id="orgcb0fc20">What is a “signed” kernel module?</h2>
<div class="outline-text-2" id="text-orgcb0fc20">
<p>
A digital signature is a method of verifying the authenticity of
digital data.   A valid digital signature can be used to reason that
the ‘signed’ content was created by a known sender and that the data
was not modified between the time of signing and its current state.
</p>

<p>
Kernel modules are organized, functional sections of code that can be
loaded and removed from the kernel on demand.  A module provides
additional functionality  of the kernel without the need to reboot the
system or recompile the code.
</p>

<p>
A signed kernel module is a kernel module with a digitial signature
that validates the contents of the module along with the attached
signature belongs to a trusted party in the systems ‘key chain’.
</p>
</div>
</div>


<div id="outline-container-org3f7b9b5" class="outline-2">
<h2 id="org3f7b9b5">How is it signed ?</h2>
<div class="outline-text-2" id="text-org3f7b9b5">
<p>
Each kernel module is signed with a industry standard PKCS#7 standard
(<a href="https://tools.ietf.org/html/rfc5652">https://tools.ietf.org/html/rfc5652</a>).   Modules that are built when
the kernel is compiled by the operating system vendor are signed at
build time, with the ‘hash’ specified at build time by the directive
CONFIG_MODULE_SIG_HASH.  Each module can only be signed once by a
dsingle signer, additional signatures are ignored.
The signature is appended to the file along with the string “~Module
signature appended~” at the end of the file.   This allows for easy
confirmation of the signing process by using the ‘strings’ tool to
find the above string in an uncompressed kernel module.
</p>

<div class="org-src-container">
<pre class="src src-shell">$ strings ecryptfs.ko | tail -n 1
~Module signature appended~
</pre>
</div>


<p>
This signature in the file is consulted by the kernel and validated
during the module loading process. The number of cryptographic hash
algorithms has increased over time, a module can be signed by a single
algorithm.
</p>

<p>
The supported hash algorithms for a release can be found in the
kernels build configuration file, along with other signing related
options.
</p>

<div class="org-src-container">
<pre class="src src-shell">$ grep CONFIG_MODULE_SIG_HASH  ~/rhel-8-kernel/redhat/configs/*config
| sort| uniq
<span style="color: #dbdb95; font-weight: bold;">CONFIG_MODULE_SIG_HASH</span>=<span style="color: #e67128;">"sha256"</span>
</pre>
</div>


<p>
From this you can see that Red Hat Enterprise Linux 8 defaults to
sha256 and only supports sha256 signed kernel modules. These options
are used at build time and runtime of the kernel that is being built.
When the kernel  is built the key used to sign the modules is compiled
into the kernel (the vmlinuz) file for use when validating module
signatures.
</p>
</div>
</div>





<div id="outline-container-org27c888b" class="outline-2">
<h2 id="org27c888b">Kernel modules information.</h2>
<div class="outline-text-2" id="text-org27c888b">
</div>
<div id="outline-container-orgce4a446" class="outline-3">
<h3 id="orgce4a446">Module location</h3>
<div class="outline-text-3" id="text-orgce4a446">
<p>
Kernel modules provided by the operating system vendors are located in the
root or subdirectory of the default search path (of /lib/modules/(\`uname -a\`)
).  There is provision for third party modules to exist within this directory
that are able to override operating system vendor defaults by using the
'updates' or 'extras' sub-directories.
</p>

<p>
Modules can be loaded from outside this tree, the complex iteractions of
searching and priority is documented in the depmod and depmod.d man pages.
</p>
</div>
</div>


<div id="outline-container-org6634bda" class="outline-3">
<h3 id="org6634bda">Loading kernel modules.</h3>
<div class="outline-text-3" id="text-org6634bda">
<p>
Modules can be loaded manually using the insmod/modprobe but also the kernel
can load modules on demand to meet attached hardware requirements or
protocols. The three (that i know of) protocols are:
</p>

<ul class="org-ul">
<li>Network Protocol use.</li>
<li>Hotplugged hardware.</li>
<li>Filesystem</li>
</ul>

<p>
Each of these events can fire off a userspace helper which can load a
module. This userspace helper consults the modules.dep file created by
depmod to locate the relevant module to meet the kernels request.
</p>
</div>
</div>

<div id="outline-container-org7ce11b4" class="outline-3">
<h3 id="org7ce11b4">The signature</h3>
<div class="outline-text-3" id="text-org7ce11b4">
</div>
<div id="outline-container-orgfcf511d" class="outline-4">
<h4 id="orgfcf511d">Signature metadata.</h4>
<div class="outline-text-4" id="text-orgfcf511d">
<p>
The /sbin/modinfo program can inspect details about the kernel module.  The  
</p>

<div class="org-src-container">
<pre class="src src-shell"><span style="color: #74af68;"># </span><span style="color: #74af68;">modinfo mwifiex.ko.xz</span>
filename: /lib/modules/4.18.0-193.el8.x86_64/kernel/drivers/net/wireless/marvell/mwifiex/mwifiex.ko.xz
license:        GPL v2
version:        1.0
description:    Marvell WiFi-Ex Driver version 1.0
author:         Marvell International Ltd.
rhelversion:    8.2
srcversion:     D69796288134CDB287FEF82
depends:        cfg80211
intree:         Y
name:           mwifiex
vermagic:       4.18.0-193.el8.x86_64 SMP mod_unload modversions 
sig_id:         PKCS#7
signer:         Red Hat Enterprise Linux kernel signing key
sig_key:        42:A4:B8:EB:D4:F1:21:1D:CA:0B:B6:66:62:38:61:FA:0B:90:31:59
sig_hashalgo:   sha256
signature:      7B:A1:37:3D:44:86:1A:99:19:64:B2:1C:96:A7:5E:8F:4D:47:52:F9:
DE:1F:6F:81:6E:CE:FB:DB:F9:D6:6C:97:AC:58:59:BB:D6:7E:D1:F5:
46:E4:5D:0D:9C:77:F9:DD:DD:2A:F6:8B:6F:56:AC:49:55:06:1F:7B:
03:C3:4B:D9:9F:D1:65:6C:B4:DF:E6:0A:26:98:1E:53:E3:8C:79:FB:
0C:FF:58:E6:61:05:B9:F2:33:3A:87:4B:7B:68:1D:DB:18:DC:18:1E:
17:F0:1D:23:5E:DF:C9:F4:65:37:40:8A:42:62:1F:33:C2:FC:98:4C:
D4:73:81:3A:72:2A:7B:5F:0B:9F:4F:C0:A3:38:82:AD:7A:A5:CA:A6:
04:04:F3:7E:09:23:32:5D:B1:BA:D6:B1:FC:E2:20:0B:AF:ED:1D:85:
D3:F1:E8:60:C1:F0:38:46:D3:C5:33:A9:CB:F0:4E:EF:D9:1F:1C:7E:
5B:D5:C6:8E:97:57:85:4A:38:48:6B:06:FF:68:42:EB:B1:F3:7A:D0:
5B:32:4F:BC:A2:B9:04:D7:D0:04:74:72:66:00:72:E1:FC:49:B2:91:
8F:05:A7:BC:E6:38:17:BE:60:B1:E1:47:D1:CB:DA:8C:7E:B2:5E:B5:
7D:2A:37:A0:06:1D:2F:1C:88:86:82:01:57:02:75:B3:D8:D4:82:3D:
D7:76:13:FC:B1:2B:A8:E4:3B:DC:D2:F8:F4:6E:9F:7D:CC:90:1D:34:
AC:FB:D5:38:A4:E7:38:72:08:4B:1F:7C:5E:47:78:28:C4:FE:DB:70:
00:ED:DC:D1:A9:4A:BE:42:CE:1C:17:98:BF:E8:F0:C5:77:B0:A0:03:
95:E0:8E:F1:60:61:8B:A7:48:6E:51:D8:49:F7:94:CB:3C:BC:45:F9:
81:3C:62:2A:98:0D:77:F0:23:3B:D6:5A:B2:B6:17:2F:C3:75:3F:45:
AC:6B:CA:35:FF:E1:A9:65:02:18:15:00:AC:68:8F:96:03:0B:CB:CB:
A4:5E:FC:24
parm:           reg_alpha2:charp
</pre>
</div>

<p>
The signature itself is at the tail end of the file, using the hex editor xxd
you can see it.
</p>

<pre class="example" id="orge4f2247">
0008d650: 0101 0500 0482 0180 7ba1 373d 4486 1a99  ........{.7=D... &lt;-- STARTS HERE ON 7BA1
0008d660: 1964 b21c 96a7 5e8f 4d47 52f9 de1f 6f81  .d....^.MGR...o.
0008d670: 6ece fbdb f9d6 6c97 ac58 59bb d67e d1f5  n.....l..XY..~..
0008d680: 46e4 5d0d 9c77 f9dd dd2a f68b 6f56 ac49  F.]..w...*..oV.I
0008d690: 5506 1f7b 03c3 4bd9 9fd1 656c b4df e60a  U..{..K...el....
0008d6a0: 2698 1e53 e38c 79fb 0cff 58e6 6105 b9f2  &amp;..S..y...X.a...
0008d6b0: 333a 874b 7b68 1ddb 18dc 181e 17f0 1d23  3:.K{h.........#
0008d6c0: 5edf c9f4 6537 408a 4262 1f33 c2fc 984c  ^...e7@.Bb.3...L
0008d6d0: d473 813a 722a 7b5f 0b9f 4fc0 a338 82ad  .s.:r*{_..O..8..
0008d6e0: 7aa5 caa6 0404 f37e 0923 325d b1ba d6b1  z......~.#2]....
0008d6f0: fce2 200b afed 1d85 d3f1 e860 c1f0 3846  .. ........`..8F
0008d700: d3c5 33a9 cbf0 4eef d91f 1c7e 5bd5 c68e  ..3...N....~[...
0008d710: 9757 854a 3848 6b06 ff68 42eb b1f3 7ad0  .W.J8Hk..hB...z.
0008d720: 5b32 4fbc a2b9 04d7 d004 7472 6600 72e1  [2O.......trf.r.
0008d730: fc49 b291 8f05 a7bc e638 17be 60b1 e147  .I.......8..`..G
0008d740: d1cb da8c 7eb2 5eb5 7d2a 37a0 061d 2f1c  ....~.^.}*7.../.
0008d750: 8886 8201 5702 75b3 d8d4 823d d776 13fc  ....W.u....=.v..
0008d760: b12b a8e4 3bdc d2f8 f46e 9f7d cc90 1d34  .+..;....n.}...4
0008d770: acfb d538 a4e7 3872 084b 1f7c 5e47 7828  ...8..8r.K.|^Gx(
0008d780: c4fe db70 00ed dcd1 a94a be42 ce1c 1798  ...p.....J.B....
0008d790: bfe8 f0c5 77b0 a003 95e0 8ef1 6061 8ba7  ....w.......`a..
0008d7a0: 486e 51d8 49f7 94cb 3cbc 45f9 813c 622a  HnQ.I...&lt;.E..&lt;b*
0008d7b0: 980d 77f0 233b d65a b2b6 172f c375 3f45  ..w.#;.Z.../.u?E
0008d7c0: ac6b ca35 ffe1 a965 0218 1500 ac68 8f96  .k.5...e.....h..
0008d7d0: 030b cbcb a45e fc24 0000 0200 0000 0000  .....^.$........   &lt;-- ENDS HERE ON FC24
0008d7e0: 0000 0268 7e4d 6f64 756c 6520 7369 676e  ...h~Module sign
0008d7f0: 6174 7572 6520 6170 7065 6e64 6564 7e0a  ature appended~.
</pre>

<p>
There is an additional text string "`Module signature appended`" also at the
end of the file, which does not seem to serve a purpose other than a simple
identifier to determine if the module signature is included.
</p>

<p>
Some implementations of kernel module signing had included it as part of the
'ELF' section tables but this appears to have been deprecated in favour of
the simpler appending to the file.
</p>

<p>
The first implementation of signing kernel modules appeared in Red Hat
Enterprise Linux 5.  This was available and enabled in Enterprise Linux before
it was available in Fedora and other distributions.
</p>

<p>
Kernel module signature verification is not enabled by default but can be
enabled by booting the kernel with an addition parameter as shown below:
</p>


<table border="2" cellspacing="0" cellpadding="6" rules="groups" frame="hsides">


<colgroup>
<col  class="org-left" />

<col  class="org-left" />
</colgroup>
<thead>
<tr>
<th scope="col" class="org-left">Version</th>
<th scope="col" class="org-left">Kernel Boot parameter</th>
</tr>
</thead>
<tbody>
<tr>
<td class="org-left">Red Hat Enterprise Linux 5</td>
<td class="org-left">enforcemodulesig=1</td>
</tr>

<tr>
<td class="org-left">Red Hat Enterprise Linux 6</td>
<td class="org-left">enforcedmodulesign=1</td>
</tr>

<tr>
<td class="org-left">Red Hat Enterprise Linux 7</td>
<td class="org-left">module.sig_enforce=1</td>
</tr>

<tr>
<td class="org-left">Red Hat Enterprise Linux 8</td>
<td class="org-left">module.sig_enforce=1</td>
</tr>

<tr>
<td class="org-left">Red Hat Enterprise Linux 9</td>
<td class="org-left">module.sig_enforce=1</td>
</tr>
</tbody>
</table>


<p>
For releases with full 'secureboot' support, (7 and later), module signature
verification is required unless explicitly stated by inverting the above kernel
boot parameter.
</p>

<p>
When IMA is enabled, kernel module signing support is enforced.
</p>
</div>
</div>
</div>
</div>

<div id="outline-container-org29ae707" class="outline-2">
<h2 id="org29ae707">Source</h2>
<div class="outline-text-2" id="text-org29ae707">
<p>
The kernel has two entry paths of loading a module.  The init\_module()
function was the traditional path 
</p>

<p>
These system call functions are: init\_module() and  finit\_module(). They
both perform the same essential function, finit takes an FD instead of a
path to the module.
</p>

<p>
[This may be useful if you have some kind of selinux policy on loading
modules that are labeled ?]
</p>

<p>
An overview of the function calls in the 'useful' codepath.
</p>

<pre class="example" id="org570ca29">
init_module() 
 -&gt; load_module() 
  -&gt; module_sig_check()  &lt;-- checks to see if it has a sig
    -&gt; mod_verify_sig()   &lt;--- verify the signature.
      -&gt; verify_pkcs7_signature() &lt;-- chcks to see if its valid pkcs7
       -&gt; pkcs7_verify_one()  &lt;- checks a single signature (from the list)
        -&gt; public_key_verify_signature() &lt;- actual crypto done here.
</pre>

<p>
There is provision for the secondary keychain (The comments here don't 
seem to match the actual code), this is changed in later versions.
</p>

<div class="org-src-container">
<pre class="src src-C"><span style="color: #00ede1; font-weight: bold;">mod_verify_sig</span><span style="color: #8c8c8c;">()</span> <span style="color: #8c8c8c;">{</span>

        <span style="color: #74af68;">/*</span>
<span style="color: #74af68;">      * Check signature using built-in trusted keys and, if configured,</span>
<span style="color: #74af68;">      * secondary trusted keys.</span>
<span style="color: #74af68;">      */</span>
     err =  verify_pkcs7_signature<span style="color: #93a8c6;">(</span>mod, modlen, mod + modlen, sig_len,
                                   VERIFY_USE_SECONDARY_KEYRING,
                                   VERIFYING_MODULE_SIGNATURE,
                                   <span style="color: #008b8b;">NULL</span>, <span style="color: #008b8b;">NULL</span><span style="color: #93a8c6;">)</span>;
     <span style="color: #ffad29; font-weight: bold;">if</span> <span style="color: #93a8c6;">(</span>IS_ENABLED<span style="color: #b0b1a3;">(</span>CONFIG_INTEGRITY_PLATFORM_KEYRING<span style="color: #b0b1a3;">)</span> &amp;&amp; err<span style="color: #93a8c6;">)</span> <span style="color: #93a8c6;">{</span>
             <span style="color: #74af68;">/*</span>
<span style="color: #74af68;">              * Check signature using platform trusted keys. This does</span>
<span style="color: #74af68;">              * not consider the built-in keys, so must be done separately</span>
<span style="color: #74af68;">              * from above, if possible and necessary.</span>
<span style="color: #74af68;">              */</span>
             err =  verify_pkcs7_signature<span style="color: #b0b1a3;">(</span>mod, modlen, mod + modlen,
                                           sig_len,
                                           VERIFY_USE_PLATFORM_KEYRING,
                                           VERIFYING_MODULE_SIGNATURE,
                                           <span style="color: #008b8b;">NULL</span>, <span style="color: #008b8b;">NULL</span><span style="color: #b0b1a3;">)</span>;
     <span style="color: #93a8c6;">}</span>
     <span style="color: #ffad29; font-weight: bold;">return</span> err;


<span style="color: #8c8c8c;">}</span>
</pre>
</div>

<p>
From initial research this appears to be the ".builtin\_trusted\_keys"
keyring. But the Secondary keyring can also be built if configured at 
build time.  (This is not the case in RHEL systems).
</p>

<p>
This secondary keychain must also be trusted by a signer in the primary
keychain, so.. its not simple.
</p>

<p>
Listing the primary keys:
</p>

<div class="org-src-container">
<pre class="src src-shell"><span style="color: #74af68;"># </span><span style="color: #74af68;">keyctl list %:.builtin_trusted_keys </span>
</pre>
</div>

<p>
These keys will only show when booted in secureboot mode with secureboot in
a reputable state.
</p>


<p>
The kernel module signature check 'fails closed' leaving it up to the admin
controlled parameter to decide on the behavior.
</p>

<p>
This is on the decided in module\_sig\_check: 
</p>

<div class="org-src-container">
<pre class="src src-C"><span style="color: #ffad29; font-weight: bold;">static</span> <span style="color: #34cae2;">int</span> <span style="color: #00ede1; font-weight: bold;">module_sig_check</span><span style="color: #8c8c8c;">(</span><span style="color: #ffad29; font-weight: bold;">struct</span> <span style="color: #34cae2;">load_info</span> *<span style="color: #dbdb95; font-weight: bold;">info</span>, <span style="color: #34cae2;">int</span> <span style="color: #dbdb95; font-weight: bold;">flags</span><span style="color: #8c8c8c;">)</span> <span style="color: #8c8c8c;">{</span>

  err = mod_verify_sig<span style="color: #93a8c6;">(</span>mod, info<span style="color: #93a8c6;">)</span>;

  <span style="color: #ffad29; font-weight: bold;">switch</span><span style="color: #93a8c6;">(</span>err<span style="color: #93a8c6;">)</span> <span style="color: #93a8c6;">{</span>

    <span style="color: #ffad29; font-weight: bold;">case</span> 0: <span style="color: #74af68;">/* </span><span style="color: #74af68;">module okay to load</span><span style="color: #74af68;"> */</span>
       <span style="color: #ffad29; font-weight: bold;">return</span> 0;

    <span style="color: #ffad29; font-weight: bold;">case</span> -ENODATA: <span style="color: #74af68;">/* </span><span style="color: #74af68;">Loading of unsigned module</span><span style="color: #74af68;"> */</span>
       <span style="color: #ffad29; font-weight: bold;">goto</span> <span style="color: #008b8b;">decide</span>;

    <span style="color: #ffad29; font-weight: bold;">case</span> -ENOPKG:  <span style="color: #74af68;">/* </span><span style="color: #74af68;">Unknown crypto on module</span><span style="color: #74af68;"> */</span>
       <span style="color: #ffad29; font-weight: bold;">goto</span> <span style="color: #008b8b;">decide</span>;

    <span style="color: #ffad29; font-weight: bold;">case</span> -ENOKEY:  <span style="color: #74af68;">/* </span><span style="color: #74af68;">unavailable key (not in current chain</span><span style="color: #74af68;"> */</span>
       <span style="color: #ffad29; font-weight: bold;">goto</span> <span style="color: #008b8b;">decide</span>;

    <span style="color: #008b8b;">decide</span>:
      <span style="color: #ffad29; font-weight: bold;">if</span> <span style="color: #b0b1a3;">(</span>is_module_sig_enforced<span style="color: #97b098;">()</span><span style="color: #b0b1a3;">)</span> <span style="color: #b0b1a3;">{</span>
                pr_notice<span style="color: #97b098;">(</span><span style="color: #e67128;">"%s: %s is rejected</span><span style="color: #FFFFFF; font-weight: bold;">\</span><span style="color: #FFFFFF; font-weight: bold;">n</span><span style="color: #e67128;">"</span>, info-&gt;name, reason<span style="color: #97b098;">)</span>;
                <span style="color: #ffad29; font-weight: bold;">return</span> -EKEYREJECTED;
      <span style="color: #b0b1a3;">}</span>

      <span style="color: #ffad29; font-weight: bold;">return</span> security_locked_down<span style="color: #b0b1a3;">(</span>LOCKDOWN_MODULE_SIGNATURE<span style="color: #b0b1a3;">)</span>;

      <span style="color: #74af68;">/* </span><span style="color: #74af68;">All other errors are fatal, including nomem, unparseable</span><span style="color: #74af68;"> */</span>

    <span style="color: #ffad29; font-weight: bold;">default</span>:
      <span style="color: #ffad29; font-weight: bold;">return</span> err;

  <span style="color: #93a8c6;">}</span>
<span style="color: #8c8c8c;">}</span>  
</pre>
</div>

<p>
The code also heavily defaults to the 'lockdown' mode state.
</p>

<p>
If the system is not UEFI-based or if UEFI Secure Boot is not
enabled, then only the keys that are embedded in the kernel are loaded onto the
system key ring and you have no ability to augment that set of keys without
rebuilding the kernel and signing all kernel modules with your own key.
</p>

<p>
However, if you do have secureboot as an option.
</p>

<p>
Secureboot has a provision for adding 'additional' keys to the 'platform'
keyring, it uses a Machine Owner Key (MOK) to add additional keys to the UEFI
secure boot database, adding them to 'system' keyring for use.
</p>

<p>
The Red Hat Enterprise Linux boot process uses the shim.efi, MokManager.efi,
grubx64.efi and each of these supports the "MOK" style keyring addition.
</p>

<p>
Once a key has been added to generated and added to the via mokutil, on the
next reboot the user will required to input a passphrase at the physical
console (the same that was generated when the key was created).
</p>

<p>
This allows local users to be able to add keys to the system keychain that
are able to be used to validate signatures of kernel modules.
</p>

<p>
Create a file configuration\_file.config  with the following contents,
modifying O and CN options.
</p>

<pre class="example" id="org1dd6ac0">

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = Organization
CN = Organization signing key
emailAddress = E-mail address

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

</pre>


<p>
From this file use openssl to generate a public and private key pairs which can
be used to sign the kernel module and also enrolled in the systems "MOK" keychain.
</p>

<div class="org-src-container">
<pre class="src src-C"><span style="color: #23d7d7;"># openssl</span> req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config configuration_file.config -outform DER  -out public_key.der \ &gt; -keyout  private_key.priv
</pre>
</div>

<p>
The openssl command should create two files, public\_key.der and
private\_key.priv.
</p>

<div class="org-src-container">
<pre class="src src-C"><span style="color: #23d7d7;"># mokutil</span> --import public_key.der
</pre>
</div>

<p>
You will be asked to enter and confirm a password for this MOK enrollment
request.
</p>

<p>
Reboot the machine.
</p>

<p>
The shim.efi will notice that there is a pending MOK enrollment and start
MokManager.efi to complete the enrollment.  The password used during the
certificate generation process will need to be entered at the console during
the early-boot stage to confirm that this key is to be enrolled.
</p>

<p>
This public key will now be in the MOK list and be added to the system key ring
on all future boots (until cleared) while secureboot is enabled.
</p>

<p>
For example the "Wades own very special kmod v01" singing key:
</p>

<div class="org-src-container">
<pre class="src src-shell"><span style="color: #74af68;"># </span><span style="color: #74af68;">keyctl list %:.system_keyring</span>
6 keys<span style="color: #ffad29; font-weight: bold;"> in</span> keyring:
...asymmetric: Red Hat Enterprise Linux Driver Update Program <span style="color: #8c8c8c;">(</span>key 3<span style="color: #8c8c8c;">)</span>: bf57f3e87...

...asymmetric: Red Hat Secure Boot <span style="color: #8c8c8c;">(</span>CA key 1<span style="color: #8c8c8c;">)</span>: 4016841644ce3a810408050766e8f8a29...
...asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed...
...asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e...
...asymmetric: Red Hat Enterprise Linux kernel signing key: 4249689eefc77e95880b...
...asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b7...
...asymmetric: Wades own very special kmod v01 signing key: c4ae92e16da94228cd9e...
</pre>
</div>


<p>
Before the module can be loaded it must be signed, there is a sign-file
script included in the kernel source ./scripts/ directory which provides 
compatible a compatible signing technique that is able to be used for 'out of
tree' built kernel modules.  An example of singing my\_module
</p>

<div class="org-src-container">
<pre class="src src-shell">perl /usr/src/kernels/$<span style="color: #8c8c8c;">(</span><span style="color: #fa8072;">uname -r</span><span style="color: #8c8c8c;">)</span>/scripts/sign-file sha256 private_key.priv public_key.der my_module.ko
</pre>
</div>

<p>
After the signature has been applied, the modinfo command should show the
newly applied signature in its output.
</p>

<p>
Note:  The signing process does not need to be on the machine where the
module will be loaded.  Module signing keys should be adequately secured with best
practices for public/private keys.
</p>
</div>
</div>

<div id="outline-container-org45c0cd7" class="outline-2">
<h2 id="org45c0cd7">Additional Resources:</h2>
<div class="outline-text-2" id="text-org45c0cd7">
<p>
<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/chap-documentation-kernel_administration_guide-working_with_kernel_modules#sect-signing-kernel-modules-for-secure-boot">Red Hat Guide for secure boot</a>
</p>

<p>
<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/chap-documentation-kernel_administration_guide-working_with_kernel_modules#sect-signing-kernel-modules-for-secure-boot">Adding a secondary sign to out of tree kernel module</a>
</p>

<p>
<a href="https://mchehab.fedorapeople.org/kernel_docs_pdf/security.pdf">Kernel security subsystem (keyring section)</a>
</p>

<p>
<a href="https://lore.kernel.org/patchwork/patch/665795/">Secondary trusted keyring ( SECONDARY_TRUSTED_KEYRING )</a>
</p>
</div>
</div>
</div>
<div id="postamble" class="status">
<p class="author">Author: Wade Mealing</p>
<p class="date">Created: 2022-09-28 Wed 14:25</p>
</div>
</body>
</html>