Long-Term Supported Versions

    Innovation Versions

      Kernel Module Signing

      Overview

      The kernel module signing facility is an important mechanism for protecting Linux kernel security. Signature information is added to the end of the kernel module file in a certain format, and the system checks whether the signature matches the public key preset in the kernel when the kernel module is loaded. In this way, the authenticity and integrity of the kernel module file are ensured.

      Prerequisites

      1. The openEuler kernel compilation environment has been prepared. For details, see https://gitee.com/openeuler/kernel/wikis/kernel.
      2. In openEuler kernel 5.10, the ShangMi (SM) series cryptographic algorithms are supported for kernel module signing. You are advised to select the latest kernel 5.10 source code for compilation.
      3. The SM2 private key and certificate used for kernel module signing have been generated. The reference commands using OpenSSL are as follows:
      # Generate a certificate configuration file. (Other fields in the configuration file can be defined as required.)
      $ echo 'subjectKeyIdentifier=hash' > mod.cfg
      # Generate a private key for SM2 signing.
      $ openssl ecparam -genkey -name SM2 -out mod.key
      # Generate a signing request.
      $ openssl req -new -sm3 -key mod.key -out mod.csr
      # Generate an SM2 certificate.
      $ openssl x509 -req -days 3650 -extfile mod.cfg -signkey mod.key -in mod.csr -out mod.crt
      

      How to Use

      Scenario 1: Automatic Signing

      Write the certificate and private key to the mod.pem file.

      $ cat /path/to/mod.key > mod.pem
      $ cat /path/to/mod.crt >> mod.pem
      

      Use the SM3 algorithm to sign the kernel module in the kernel compilation options.

      $ make openeuler_defconfig
      $ make menuconfig
      

      Choose Enable loadable module support > Sign modules with SM3 on the GUI.

      Which hash algorithm should modules be signed with? (Sign modules with SM3)
      

      Configure Cryptographic API > Certificates for signature checking to read the private key and certificate used for kernel signing from mod.pem.

      (mod.pem) File name or PKCS#11 URI of module signing key
      

      Build the kernel.

      $ make -j64
      $ make modules_install
      $ make install
      

      Run the modinfo command to check the signature information of the kernel module.

      $ modinfo /usr/lib/modules/5.10.0/kernel/crypto/sm4.ko 
      filename:       /usr/lib/modules/5.10.0/kernel/crypto/sm4.ko
      license:        GPL v2
      description:    Generic SM4 library
      srcversion:     371050FDB8BF9878D9B5B9B
      depends:        
      retpoline:      Y
      intree:         Y
      name:           sm4
      vermagic:       5.10.0 SMP mod_unload modversions 
      sig_id:         PKCS#7
      signer:         Internet Widgits Pty Ltd
      sig_key:        33:0B:96:3E:1F:C1:CA:28:98:72:F5:AE:FF:3F:A4:F3:50:5D:E1:87
      sig_hashalgo:   sm3
      signature:      30:45:02:21:00:81:96:8D:40:CE:7F:7D:AE:3A:4B:CC:DC:9A:F2:B4:
      		16:87:3E:C3:DC:77:ED:BC:6E:F5:D8:F3:DD:77:2B:D4:05:02:20:3B:
      		39:5A:89:9D:DC:27:83:E8:D8:B4:75:86:FF:33:2B:34:33:D0:90:76:
      		32:4D:36:88:84:34:31:5C:83:63:6B
      

      Scenario 2: Manual Signing

      Call sign_file in the kernel source code directory to sign the specified kernel module.

      $ ./scripts/sign-file sm3 /path/to/mod.key /path/to/mod.crt <module_file>
      

      Other steps are the same as those in scenario 1.

      Scenario 3: Module Loading Verification

      Add module.sig_enforce to the kernel startup parameters to enable forcible signature verification for the kernel module.

      linux   /vmlinuz-5.10.0-106.1.0.55.oe2209.x86_64 root=/dev/mapper/openeuler-root ro resume=/dev/mapper/openeuler-swap rd.lvm.lv=openeuler/root rd.lvm.lv=openeuler/swap crashkernel=512M module.sig_enforce
      

      After the system is restarted, only the kernel modules that pass the certificate verification can be loaded.

      # insmod /usr/lib/modules/5.10.0/kernel/crypto/sm4.ko
      

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份