The document discusses signature verification of kernel modules and the kexec binary loader in Linux. It describes:
1) How to enable kernel module signing using config options to cryptographically sign modules during installation and check signatures on loading.
2) How to generate signing keys, sign modules, and require valid signatures.
3) The mechanism where modules contain a signature string and metadata for verification.
4) How kexec can verify signatures of PE signed bzImage binaries using Authenticode signatures embedded in the COFF format.
5) The steps to enable verification in kexec, sign bzImages, and load signed kernels via kexec for testing.
1. Signature verification ofSignature verification of
kernel module and kexeckernel module and kexec
October, 2016, openSUSE.Asia 2016, YogyakartaOctober, 2016, openSUSE.Asia 2016, Yogyakarta
Joey Lee, SUSE Labs Taipei
2. 2
Agenda
• Kernel module signing
– How to enable it
– Sign kernel module
– The mechanism of verification
• kexec: Verify signature of PE signed bzImage
– How to enable it
– Sign kernel PE binary for loading with kexec-file
– The mechanism of kexec-file syscall
• Q&A
4. 4
Kernel Module Signing Facility
• Introduced since v3.7-rc1 kernel
• Author: David Howells
– https://lkml.org/lkml/2012/9/24/631
– crypto algorithm: RSA
– Key identifier type: X.509
• The kernel module signing facility cryptographically signs
modules during installation and then checks the signature
upon loading the module.
• This allows increased kernel security by disallowing the
loading of unsigned modules or modules signed with an
invalid key. [1]
5. 5
How to enable modsign
• CONFIG_MODULE_SIG=y
– Module signature verification
• CONFIG_MODULE_SIG_FORCE
– Require modules to be validly signed
• CONFIG_MODULE_SIG_ALL
– Automatically sign all modules
• CONFIG_MODULE_SIG_SHA*
– which hash algorithm the installation phase will sign the
modules with
– e.g. CONFIG_MODULE_SIG_SHA512
6. 6
How to enable modsign (cont.)
• CONFIG_MODULE_SIG_KEY
– File name or PKCS#11 URI of module signing key
– Default: certs/signing_key.pem
• CONFIG_SYSTEM_TRUSTED_KEYS
– Additional X.509 keys for default system keyring
• CONFIG_MODULE_SIG_UEFI=y (SUSE)
– Load certificate from db, dbx, mok and mokx
7. 7
module signing key
• CONFIG_MODULE_SIG_KEY
– File name or PKCS#11 URI of module signing key
– Default:
● CONFIG_MODULE_SIG_KEY="certs/signing_key.p
em"
● certs/signing_key.pem (private key + public key)
● certs/signing_key.x509 (only public key)
9. 9
module signing key (cont.)
• Show private key
– openssl rsa -in certs/signing_key.pem -noout -text | less
10. 10
module signing key (cont.)
• Show certificate (includes public key)
– openssl x509 -in certs/signing_key.pem -inform PEM -noout -text | less
– openssl x509 -in certs/signing_key.x509 -inform DER -noout -text | less
11. 11
x509.genkey
• During the building of vmlinux (the public part of the key needs to be built into
vmlinux) using parameters in the:
certs/x509.genkey
• This file is also generated if it does not already exist [1]
• Most notably, in the x509.genkey file, the req_distinguished_name section
• should be altered from the default:
– [ req_distinguished_name ]
#O = Unspecified company
CN = Build time autogenerated kernel key
#emailAddress = unspecified.user@unspecified.company
• The generated RSA key size can also be set with:
[ req ]
default_bits = 4096
14. 14
Require modules to be validly signed
• CONFIG_MODULE_SIG_FORCE=y
– insmod: ERROR: could not insert module acer-wmi-unsign.ko: Required
key not available
•
• CONFIG_MODULE_SIG_FORCE not set
– module verification failed: signature and/or required key missing -
tainting kernel
– Taint kernel by 'E' flag
24. 24
kexec: Verify signature of PE signed bzImage
• Introduced since v3.7-rc1 kernel
• Author: Vivek Goyal
– https://lkml.org/lkml/2014/7/3/749
– x86_64 only
– Base on:
● kexec: A new system call to allow in kernel loading
● PKCS7 signature support
• Now kexec bzImage loader calls into pefile parser and
passes the PE signed bzImage for signature verification.
25. 25
How to enable kexec verify
• CONFIG_KEXEC_FILE=y
– kexec file based system call
• CONFIG_KEXEC_VERIFY_SIG=y
– Verify kernel signature during kexec_file_load() syscall
• CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
– Enable bzImage signature verification support
26. 26
The EFI Boot Stub
• On the x86 and ARM platforms, a kernel zImage/bzImage can
masquerade as a PE/COFF image, thereby convincing EFI
firmware loaders to load it as an EFI executable. [2]
• CONFIG_EFI_STUB=y
• The bzImage located in arch/x86/boot/bzImage must be copied
to the EFI System Partition (ESP) and renamed with the
extension ".efi".
• Using EFI shell to execute EFI stub kernel
• Grub2 supports kernel x86 boot protocol 2.11 (since v3.6)
– Protocol 2.11: (Kernel 3.6) Added a field for offset of EFI handover
protocol entry point. [5]
– With linuxefi/initrdefi grub2 module
28. 28
sign your bzImage
• set CONFIG_MODULE_SIG=y to generate signing_key.*
– Or using your own key-pair
• Enroll certificate to MOK to shim for kernel verification
– mokutil --root-pw --import certs/signing_key.x509
• Install mozilla-nss-tools, openssl and pesign
– zypper in mozilla-nss-tools openssl pesign
34. 34
Embedded signatures of PE/COFF
• CONFIG_EFI_STUB=y
– On the x86 and ARM platforms, a kernel zImage/bzImage can
masquerade as a PE/COFF image, thereby convincing EFI firmware
loaders to load it as an EFI executable.
• Authenticode signature format [4]
– Authenticode® is a digital signature format that is used to determine the
origin and integrity of software binaries.
– Authenticode is based on Public-Key Cryptography Standards
(PKCS) #7 signed data and X.509 certificates to bind an Authenticode-
signed binary to the identity of a software publisher.