The document discusses signature verification of kernel modules and the kexec binary loader in Linux. It describes: 1) How to enable kernel module signing using config options to cryptographically sign modules during installation and check signatures on loading. 2) How to generate signing keys, sign modules, and require valid signatures. 3) The mechanism where modules contain a signature string and metadata for verification. 4) How kexec can verify signatures of PE signed bzImage binaries using Authenticode signatures embedded in the COFF format. 5) The steps to enable verification in kexec, sign bzImages, and load signed kernels via kexec for testing.

1. Signature verification ofSignature verification of
kernel module and kexeckernel module and kexec
October, 2016, openSUSE.Asia 2016, YogyakartaOctober, 2016, openSUSE.Asia 2016, Yogyakarta
Joey Lee, SUSE Labs Taipei

2. 2
Agenda
• Kernel module signing
– How to enable it
– Sign kernel module
– The mechanism of verification
• kexec: Verify signature of PE signed bzImage
– How to enable it
– Sign kernel PE binary for loading with kexec-file
– The mechanism of kexec-file syscall
• Q&A

3. Kernel module signingKernel module signing

4. 4
Kernel Module Signing Facility
• Introduced since v3.7-rc1 kernel
• Author: David Howells
– https://lkml.org/lkml/2012/9/24/631
– crypto algorithm: RSA
– Key identifier type: X.509
• The kernel module signing facility cryptographically signs
modules during installation and then checks the signature
upon loading the module.
• This allows increased kernel security by disallowing the
loading of unsigned modules or modules signed with an
invalid key. [1]

5. 5
How to enable modsign
• CONFIG_MODULE_SIG=y
– Module signature verification
• CONFIG_MODULE_SIG_FORCE
– Require modules to be validly signed
• CONFIG_MODULE_SIG_ALL
– Automatically sign all modules
• CONFIG_MODULE_SIG_SHA*
– which hash algorithm the installation phase will sign the
modules with
– e.g. CONFIG_MODULE_SIG_SHA512

6. 6
How to enable modsign (cont.)
• CONFIG_MODULE_SIG_KEY
– File name or PKCS#11 URI of module signing key
– Default: certs/signing_key.pem
• CONFIG_SYSTEM_TRUSTED_KEYS
– Additional X.509 keys for default system keyring
• CONFIG_MODULE_SIG_UEFI=y (SUSE)
– Load certificate from db, dbx, mok and mokx

7. 7
module signing key
• CONFIG_MODULE_SIG_KEY
– File name or PKCS#11 URI of module signing key
– Default:
● CONFIG_MODULE_SIG_KEY="certs/signing_key.p
em"
● certs/signing_key.pem (private key + public key)
● certs/signing_key.x509 (only public key)

8. 8
module signing key (cont.)

9. 9
module signing key (cont.)
• Show private key
– openssl rsa -in certs/signing_key.pem -noout -text | less

10. 10
module signing key (cont.)
• Show certificate (includes public key)
– openssl x509 -in certs/signing_key.pem -inform PEM -noout -text | less
– openssl x509 -in certs/signing_key.x509 -inform DER -noout -text | less

11. 11
x509.genkey
• During the building of vmlinux (the public part of the key needs to be built into
vmlinux) using parameters in the:
certs/x509.genkey
• This file is also generated if it does not already exist [1]
• Most notably, in the x509.genkey file, the req_distinguished_name section
• should be altered from the default:
– [ req_distinguished_name ]
#O = Unspecified company
CN = Build time autogenerated kernel key
#emailAddress = unspecified.user@unspecified.company
• The generated RSA key size can also be set with:
[ req ]
default_bits = 4096

12. 12
x509.genkey (cont.)

13. 13
sign module
• scripts/sign-file
– ./scripts/sign-file sha1 certs/signing_key.pem certs/signing_key.x509
drivers/platform/x86/acer-wmi.ko ~/acer-wmi-signed.ko
• CONFIG_MODULE_SIG_ALL=y
– Automatically sign all modules when “make
modules_install”

14. 14
Require modules to be validly signed
• CONFIG_MODULE_SIG_FORCE=y
– insmod: ERROR: could not insert module acer-wmi-unsign.ko: Required
key not available
•
• CONFIG_MODULE_SIG_FORCE not set
– module verification failed: signature and/or required key missing -
tainting kernel
– Taint kernel by 'E' flag

15. 15
Signature of module

16. 16
marker string

17. 17
module_signature

18. 18
PKEY_ID_X509 type (before v3.18)

19. 19
PKEY_ID_PKCS7 type (after v3.18)

20. 20

21. 21
MOKutil
• Import your certificate to machine owner key(MOK) variable.
• Linux kernel loads certificate from MOK to verify kernel module.
• # mokutil --root-pw --import certs/signing_key.x509

22. 22
MOKutil (cont.)

23. kexec: verify signaturekexec: verify signature

24. 24
kexec: Verify signature of PE signed bzImage
• Introduced since v3.7-rc1 kernel
• Author: Vivek Goyal
– https://lkml.org/lkml/2014/7/3/749
– x86_64 only
– Base on:
● kexec: A new system call to allow in kernel loading
● PKCS7 signature support
• Now kexec bzImage loader calls into pefile parser and
passes the PE signed bzImage for signature verification.

25. 25
How to enable kexec verify
• CONFIG_KEXEC_FILE=y
– kexec file based system call
• CONFIG_KEXEC_VERIFY_SIG=y
– Verify kernel signature during kexec_file_load() syscall
• CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
– Enable bzImage signature verification support

26. 26
The EFI Boot Stub
• On the x86 and ARM platforms, a kernel zImage/bzImage can
masquerade as a PE/COFF image, thereby convincing EFI
firmware loaders to load it as an EFI executable. [2]
• CONFIG_EFI_STUB=y
• The bzImage located in arch/x86/boot/bzImage must be copied
to the EFI System Partition (ESP) and renamed with the
extension ".efi".
• Using EFI shell to execute EFI stub kernel
• Grub2 supports kernel x86 boot protocol 2.11 (since v3.6)
– Protocol 2.11: (Kernel 3.6) Added a field for offset of EFI handover
protocol entry point. [5]
– With linuxefi/initrdefi grub2 module

27. 27
Key was rejected by service

28. 28
sign your bzImage
• set CONFIG_MODULE_SIG=y to generate signing_key.*
– Or using your own key-pair
• Enroll certificate to MOK to shim for kernel verification
– mokutil --root-pw --import certs/signing_key.x509
• Install mozilla-nss-tools, openssl and pesign
– zypper in mozilla-nss-tools openssl pesign

29. 29
sign your bzImage (cont.)
• Create certificate database for signing (certdb)
– mkdir $WORKSPACE
– cp $KERNEL_SOURCE/certs/signing_key.* ./
– mkdir certdb
– certutil -d certdb/ -A -i signing_key.x509 -n cert -t CT,CT,CT
• Hierarchy
/root/kexec-sign/:
certdb signing_key.pem signing_key.x509
/root/kexec-sign/certdb:
cert8.db key3.db secmod.db

30. 30
sign your bzImage (cont.)
• Using pesign to sign kernel
– pesign -n certdb/ -i /boot/"$TARGET_KERNEL"
-E ./"$TARGET_KERNEL".sattrs
– openssl dgst -sha256 -sign signing_key.pem ./"$TARGET_KERNEL".sattrs
> ./"$TARGET_KERNEL".sattrs.sig
– pesign -n certdb/ -c cert -i /boot/"$TARGET_KERNEL"
-R ./"$TARGET_KERNEL".sattrs.sig -I ./"$TARGET_KERNEL".sattrs
-o ./"$TARGET_KERNEL".signed
– pesign -S -i ./"$TARGET_KERNEL".signed
• Help script: kexec-sign-test.sh
– https://github.com/joeyli/hackweek/blob/master/kexec-sign-test/kexec-sign-test.sh
– kexec-sign-test.sh init ~/kernel-source.nfs
– kexec-sign-test.sh sign vmlinuz-4.4.21-default+

31. 31
Load signed kernel
• Load signed kernel with kexec-file system call for testing
– /sbin/kexec -s -p ./$SIGNED_KERNEL --append="ro quiet
elevator=deadline sysrq=yes reset_devices acpi_no_memhotplug
cgroup_disable=memory irqpoll nr_cpus=1 disable_cpu_apicid=0 noefi
acpi_rsdp=0xdfbfe014 panic=1"
• Copy signed kernel to /boot folder to replace the unsigned
kernel:
– # cp /root/kexec-sign/vmlinuz-4.4.21-default+.signed /boot/vmlinuz-
4.4.21-default+
• Reboot and check the kdump status:
– # systemctl status kdump -l

32. 32
Load crash kernel success

33. 33
Kernel signature hexdump

34. 34
Embedded signatures of PE/COFF
• CONFIG_EFI_STUB=y
– On the x86 and ARM platforms, a kernel zImage/bzImage can
masquerade as a PE/COFF image, thereby convincing EFI firmware
loaders to load it as an EFI executable.
• Authenticode signature format [4]
– Authenticode® is a digital signature format that is used to determine the
origin and integrity of software binaries.
– Authenticode is based on Public-Key Cryptography Standards
(PKCS) #7 signed data and X.509 certificates to bind an Authenticode-
signed binary to the identity of a software publisher.

35. 35
Embedded signatures of PE/COFF (cont.)

36. 36

37. Q&AQ&A

38. Terima Kasih!Terima Kasih!
謝謝謝謝 !!
Thank you!Thank you!

39. 39
References
• [1] Documentation/module-signing.txt
– https://www.kernel.org/doc/Documentation/module-signing.tx
• [2] Documentation/efi-stub.txt
– https://www.kernel.org/doc/Documentation/efi-stub.txt
• [3] Unified Extensible Firmware Interface Specification,
Version 2.6, January 2016
• [4] Windows Authenticode Portable Executable Signature
Format
• [5] Documentation/x86/boot.txt

40. 40
Join us on:
www.opensuse.org

41. 41