linux 内核签名

文章目录

内核配置

内核从3.7后开始支持模块签名,这个功能使能以后,内核只允许安装特定key签名的模块。
内核在编译的时候,启动相关配置(.config),内核才会启动内核签名功能

# /boot/config-$(uname -r)
# 启用内核签名
CONFIG_MODULE_SIG=y
# 表示开启了签名机制,但是这时候模块签名或不签名都可以使用
CONFIG_MODULE_SIG_FORCE=y
# 模块必须有正确的签名才能正常使用
CONFIG_MODULE_SIG_ALL=y

相关代码体现
内核 5.10.43

// kernel/module.c
static int load_module(struct load_info *info, const char __user *uargs,
		       int flags)
{
	...
	err = module_sig_check(info, flags);
	if (err)
		goto free_copy;
	...
}

#ifdef CONFIG_MODULE_SIG
static int module_sig_check(struct load_info *info, int flags)
{
	...
	if (flags == 0 &&
	    info->len > markerlen &&
	    // include/linux/module_signature.h
		// #define MODULE_SIG_STRING "~Module signature appended~\n"
	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
		/* We truncate the module to discard the signature */
		info->len -= markerlen;
		err = mod_verify_sig(mod, info);
	}

	...
	
	if (is_module_sig_enforced()) {
		pr_notice("Loading of %s is rejected\n", reason);
		return -EKEYREJECTED;
	}

	return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
}
#else /* !CONFIG_MODULE_SIG */
static int module_sig_check(struct load_info *info, int flags)
{
	return 0;
}
#endif /* !CONFIG_MODULE_SIG */

static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
module_param(sig_enforce, bool_enable_only, 0644);

bool is_module_sig_enforced(void)
{
	return sig_enforce;
}
EXPORT_SYMBOL(is_module_sig_enforced);

// kernel/module_signing.c
int mod_verify_sig(const void *mod, struct load_info *info)
{
	struct module_signature ms;
	...
	memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
	ret = mod_check_sig(&ms, modlen, "module");
	if (ret)
		return ret;
	...
	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
				      VERIFY_USE_SECONDARY_KEYRING,
				      VERIFYING_MODULE_SIGNATURE,
				      NULL, NULL);
}

内核如何签名

如何查看驱动是否加入签名

查看驱动程序,最后面数据是否是MODULE_SIG_STRING("~Module signature appended~\n")

# 有驱动签名
root:~$ hexdump -C ./crc32c-intel.ko | tail
000055f0  c6 5b 16 42 16 79 2a f8  5e bb b1 50 cf 7f 2b 73  |.[.B.y*.^..P..+s|
00005600  b6 0d 26 0e 63 f9 2f 46  2a 11 b7 61 b4 8d 61 46  |..&.c./F*..a..aF|
00005610  13 16 5f 09 97 c9 a9 84  61 0a a4 bc 60 03 48 92  |.._.....a...`.H.|
00005620  c3 62 20 03 43 36 eb c6  44 3a d4 fd 1c 03 14 ff  |.b .C6..D:......|
00005630  d5 c8 03 5a 07 5f 58 30  1e 7f d4 66 59 b4 14 c2  |...Z._X0...fY...|
00005640  98 b8 b2 6a 45 d6 13 54  cc 01 04 01 2b 14 00 00  |...jE..T....+...|
00005650  00 00 00 01 82 7e 4d 6f  64 75 6c 65 20 73 69 67  |.....~Module sig|
00005660  6e 61 74 75 72 65 20 61  70 70 65 6e 64 65 64 7e  |nature appended~|
00005670  0a                                                |.|
00005671
# 无驱动签名
root:~$ hexdump -C ./ahci.ko | tail
00017370  00 00 00 00 00 00 00 00  c1 00 00 00 01 00 00 00  |................|
00017380  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00017390  10 6a 01 00 00 00 00 00  14 00 00 00 00 00 00 00  |.j..............|
000173a0  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
000173b0  00 00 00 00 00 00 00 00  51 00 00 00 03 00 00 00  |........Q.......|
000173c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000173d0  24 6a 01 00 00 00 00 00  4d 01 00 00 00 00 00 00  |$j......M.......|
000173e0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|

模块签名

特殊模块签名

猜的不一定是
由于linux 3.7后才加入签名配置,所以在linux 3.7版本的签名信息保存到.note.module.sig段,如下是2.6.32的签名信息:

root:~$ readelf -x .note.module.sig ./ahci.ko

Hex dump of section '.note.module.sig':
  0x00000000 0b000000 60000000 64000000 6d6f6475 ....`...d...modu
  0x00000010 6c652e73 69670000 885e0400 11080006 le.sig...^......
  0x00000020 05025965 2b82000a 091070a6 64250e63 ..Ye+.....p.d%.c
  0x00000030 2d89586b 00ff647b fec64300 74f9a3c2 -.Xk..d{..C.t...
  0x00000040 a37b794a 4ec5e2d8 98d75872 e28ce4a7 .{yJN.....Xr....
  0x00000050 fcbed2c8 21af00ff 74c2c36c e5de163e ....!...t..l...>
  0x00000060 06522257 3a43c974 a9bbf067 7987e46c .R"W:C.t...gy..l
  0x00000070 1a154fbd 7b9a6aa8                   ..O.{.j.

Linux内核模块常见问题

版权声明:本文为qq_40227064原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。