SlideShare a Scribd company logo

Signature verification of kernel module and kexec

joeylikernel, profile picture
joeylikernel

The document discusses signature verification of kernel modules and the kexec binary loader in Linux. It describes: 1) How to enable kernel module signing using config options to cryptographically sign modules during installation and check signatures on loading. 2) How to generate signing keys, sign modules, and require valid signatures. 3) The mechanism where modules contain a signature string and metadata for verification. 4) How kexec can verify signatures of PE signed bzImage binaries using Authenticode signatures embedded in the COFF format. 5) The steps to enable verification in kexec, sign bzImages, and load signed kernels via kexec for testing.

Software
1 of 41
Downloaded 11 times
1
2
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Most read
21
22
23
24
25
26
27
28
29
30
Most read
31
32
33
34
35
36
37
38
39
40
41
Signature verification ofSignature verification of kernel module and kexeckernel module and kexec October, 2016, openSUSE.Asia 2016, YogyakartaOctober, 2016, openSUSE.Asia 2016, Yogyakarta Joey Lee, SUSE Labs Taipei
2 Agenda ‱ Kernel module signing – How to enable it – Sign kernel module – The mechanism of verification ‱ kexec: Verify signature of PE signed bzImage – How to enable it – Sign kernel PE binary for loading with kexec-file – The mechanism of kexec-file syscall ‱ Q&A
Kernel module signingKernel module signing
4 Kernel Module Signing Facility ‱ Introduced since v3.7-rc1 kernel ‱ Author: David Howells – https://lkml.org/lkml/2012/9/24/631 – crypto algorithm: RSA – Key identifier type: X.509 ‱ The kernel module signing facility cryptographically signs modules during installation and then checks the signature upon loading the module. ‱ This allows increased kernel security by disallowing the loading of unsigned modules or modules signed with an invalid key. [1]
5 How to enable modsign ‱ CONFIG_MODULE_SIG=y – Module signature verification ‱ CONFIG_MODULE_SIG_FORCE – Require modules to be validly signed ‱ CONFIG_MODULE_SIG_ALL – Automatically sign all modules ‱ CONFIG_MODULE_SIG_SHA* – which hash algorithm the installation phase will sign the modules with – e.g. CONFIG_MODULE_SIG_SHA512
6 How to enable modsign (cont.) ‱ CONFIG_MODULE_SIG_KEY – File name or PKCS#11 URI of module signing key – Default: certs/signing_key.pem ‱ CONFIG_SYSTEM_TRUSTED_KEYS – Additional X.509 keys for default system keyring ‱ CONFIG_MODULE_SIG_UEFI=y (SUSE) – Load certificate from db, dbx, mok and mokx
7 module signing key ‱ CONFIG_MODULE_SIG_KEY – File name or PKCS#11 URI of module signing key – Default: ● CONFIG_MODULE_SIG_KEY="certs/signing_key.p em" ● certs/signing_key.pem (private key + public key) ● certs/signing_key.x509 (only public key)
8 module signing key (cont.)
9 module signing key (cont.) ‱ Show private key – openssl rsa -in certs/signing_key.pem -noout -text | less
10 module signing key (cont.) ‱ Show certificate (includes public key) – openssl x509 -in certs/signing_key.pem -inform PEM -noout -text | less – openssl x509 -in certs/signing_key.x509 -inform DER -noout -text | less
11 x509.genkey ‱ During the building of vmlinux (the public part of the key needs to be built into vmlinux) using parameters in the: certs/x509.genkey ‱ This file is also generated if it does not already exist [1] ‱ Most notably, in the x509.genkey file, the req_distinguished_name section ‱ should be altered from the default: – [ req_distinguished_name ] #O = Unspecified company CN = Build time autogenerated kernel key #emailAddress = unspecified.user@unspecified.company ‱ The generated RSA key size can also be set with: [ req ] default_bits = 4096
12 x509.genkey (cont.)
13 sign module ‱ scripts/sign-file – ./scripts/sign-file sha1 certs/signing_key.pem certs/signing_key.x509 drivers/platform/x86/acer-wmi.ko ~/acer-wmi-signed.ko ‱ CONFIG_MODULE_SIG_ALL=y – Automatically sign all modules when “make modules_install”
14 Require modules to be validly signed ‱ CONFIG_MODULE_SIG_FORCE=y – insmod: ERROR: could not insert module acer-wmi-unsign.ko: Required key not available ‱ ‱ CONFIG_MODULE_SIG_FORCE not set – module verification failed: signature and/or required key missing - tainting kernel – Taint kernel by 'E' flag
15 Signature of module
16 marker string
17 module_signature
18 PKEY_ID_X509 type (before v3.18)
19 PKEY_ID_PKCS7 type (after v3.18)
20
21 MOKutil ‱ Import your certificate to machine owner key(MOK) variable. ‱ Linux kernel loads certificate from MOK to verify kernel module. ‱ # mokutil --root-pw --import certs/signing_key.x509
22 MOKutil (cont.)
kexec: verify signaturekexec: verify signature
24 kexec: Verify signature of PE signed bzImage ‱ Introduced since v3.7-rc1 kernel ‱ Author: Vivek Goyal – https://lkml.org/lkml/2014/7/3/749 – x86_64 only – Base on: ● kexec: A new system call to allow in kernel loading ● PKCS7 signature support ‱ Now kexec bzImage loader calls into pefile parser and passes the PE signed bzImage for signature verification.
25 How to enable kexec verify ‱ CONFIG_KEXEC_FILE=y – kexec file based system call ‱ CONFIG_KEXEC_VERIFY_SIG=y – Verify kernel signature during kexec_file_load() syscall ‱ CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y – Enable bzImage signature verification support
26 The EFI Boot Stub ‱ On the x86 and ARM platforms, a kernel zImage/bzImage can masquerade as a PE/COFF image, thereby convincing EFI firmware loaders to load it as an EFI executable. [2] ‱ CONFIG_EFI_STUB=y ‱ The bzImage located in arch/x86/boot/bzImage must be copied to the EFI System Partition (ESP) and renamed with the extension ".efi". ‱ Using EFI shell to execute EFI stub kernel ‱ Grub2 supports kernel x86 boot protocol 2.11 (since v3.6) – Protocol 2.11: (Kernel 3.6) Added a field for offset of EFI handover protocol entry point. [5] – With linuxefi/initrdefi grub2 module
27 Key was rejected by service
28 sign your bzImage ‱ set CONFIG_MODULE_SIG=y to generate signing_key.* – Or using your own key-pair ‱ Enroll certificate to MOK to shim for kernel verification – mokutil --root-pw --import certs/signing_key.x509 ‱ Install mozilla-nss-tools, openssl and pesign – zypper in mozilla-nss-tools openssl pesign
29 sign your bzImage (cont.) ‱ Create certificate database for signing (certdb) – mkdir $WORKSPACE – cp $KERNEL_SOURCE/certs/signing_key.* ./ – mkdir certdb – certutil -d certdb/ -A -i signing_key.x509 -n cert -t CT,CT,CT ‱ Hierarchy /root/kexec-sign/: certdb signing_key.pem signing_key.x509 /root/kexec-sign/certdb: cert8.db key3.db secmod.db
30 sign your bzImage (cont.) ‱ Using pesign to sign kernel – pesign -n certdb/ -i /boot/"$TARGET_KERNEL" -E ./"$TARGET_KERNEL".sattrs – openssl dgst -sha256 -sign signing_key.pem ./"$TARGET_KERNEL".sattrs > ./"$TARGET_KERNEL".sattrs.sig – pesign -n certdb/ -c cert -i /boot/"$TARGET_KERNEL" -R ./"$TARGET_KERNEL".sattrs.sig -I ./"$TARGET_KERNEL".sattrs -o ./"$TARGET_KERNEL".signed – pesign -S -i ./"$TARGET_KERNEL".signed ‱ Help script: kexec-sign-test.sh – https://github.com/joeyli/hackweek/blob/master/kexec-sign-test/kexec-sign-test.sh – kexec-sign-test.sh init ~/kernel-source.nfs – kexec-sign-test.sh sign vmlinuz-4.4.21-default+
31 Load signed kernel ‱ Load signed kernel with kexec-file system call for testing – /sbin/kexec -s -p ./$SIGNED_KERNEL --append="ro quiet elevator=deadline sysrq=yes reset_devices acpi_no_memhotplug cgroup_disable=memory irqpoll nr_cpus=1 disable_cpu_apicid=0 noefi acpi_rsdp=0xdfbfe014 panic=1" ‱ Copy signed kernel to /boot folder to replace the unsigned kernel: – # cp /root/kexec-sign/vmlinuz-4.4.21-default+.signed /boot/vmlinuz- 4.4.21-default+ ‱ Reboot and check the kdump status: – # systemctl status kdump -l
32 Load crash kernel success
33 Kernel signature hexdump
34 Embedded signatures of PE/COFF ‱ CONFIG_EFI_STUB=y – On the x86 and ARM platforms, a kernel zImage/bzImage can masquerade as a PE/COFF image, thereby convincing EFI firmware loaders to load it as an EFI executable. ‱ Authenticode signature format [4] – Authenticode¼ is a digital signature format that is used to determine the origin and integrity of software binaries. – Authenticode is based on Public-Key Cryptography Standards (PKCS) #7 signed data and X.509 certificates to bind an Authenticode- signed binary to the identity of a software publisher.
35 Embedded signatures of PE/COFF (cont.)
36
Q&AQ&A
Terima Kasih!Terima Kasih! èŹèŹèŹèŹ !! Thank you!Thank you!
39 References ‱ [1] Documentation/module-signing.txt – https://www.kernel.org/doc/Documentation/module-signing.tx ‱ [2] Documentation/efi-stub.txt – https://www.kernel.org/doc/Documentation/efi-stub.txt ‱ [3] Unified Extensible Firmware Interface Specification, Version 2.6, January 2016 ‱ [4] Windows Authenticode Portable Executable Signature Format ‱ [5] Documentation/x86/boot.txt
40 Join us on: www.opensuse.org
41

More Related Content

PDF
ACPI Debugging from Linux Kernel
SUSE Labs Taipei
 
PDF
Kernel debug log and console on openSUSE
SUSE Labs Taipei
 
PDF
Uboot startup sequence
Houcheng Lin
 
PPT
Linux Kernel Image
艟鍗科技
 
PDF
Arm device tree and linux device drivers
Houcheng Lin
 
PPTX
Linux MMAP & Ioremap introduction
Gene Chang
 
PDF
Study on Android Emulator
Samael Wang
 
PPT
U boot porting guide for SoC
Macpaul Lin
 
ACPI Debugging from Linux Kernel
SUSE Labs Taipei
 
Kernel debug log and console on openSUSE
SUSE Labs Taipei
 
Uboot startup sequence
Houcheng Lin
 
Linux Kernel Image
艟鍗科技
 
Arm device tree and linux device drivers
Houcheng Lin
 
Linux MMAP & Ioremap introduction
Gene Chang
 
Study on Android Emulator
Samael Wang
 
U boot porting guide for SoC
Macpaul Lin
 

What's hot (20)

PDF
I2C Drivers
SysPlay eLearning Academy for You
 
PPT
U Boot or Universal Bootloader
Satpal Parmar
 
PPTX
Linux Kernel Booting Process (1) - For NLKB
shimosawa
 
PDF
Jagan Teki - U-boot from scratch
linuxlab_conf
 
PDF
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Anne Nicolas
 
PDF
Introduction to Modern U-Boot
GlobalLogic Ukraine
 
PDF
BeagleBone Black Bootloaders
SysPlay eLearning Academy for You
 
PPTX
Linux Kernel Module - For NLKB
shimosawa
 
PDF
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
PPTX
U-Boot presentation 2013
Wave Digitech
 
PDF
Device Tree for Dummies (ELC 2014)
Thomas Petazzoni
 
PPTX
Linux Initialization Process (1)
shimosawa
 
PPTX
Bootloaders (U-Boot)
Omkar Rane
 
PDF
Linux Porting
Anil Kumar Pugalia
 
PDF
Multi-signed Kernel Module
SUSE Labs Taipei
 
PDF
Linux kernel debugging
libfetion
 
PDF
Android Security Internals
Opersys inc.
 
PDF
LCU14 500 ARM Trusted Firmware
Linaro
 
PDF
Qemu JIT Code Generator and System Emulation
National Cheng Kung University
 
PDF
Linux device drivers
Emertxe Information Technologies Pvt Ltd
 
I2C Drivers
SysPlay eLearning Academy for You
 
U Boot or Universal Bootloader
Satpal Parmar
 
Linux Kernel Booting Process (1) - For NLKB
shimosawa
 
Jagan Teki - U-boot from scratch
linuxlab_conf
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Anne Nicolas
 
Introduction to Modern U-Boot
GlobalLogic Ukraine
 
BeagleBone Black Bootloaders
SysPlay eLearning Academy for You
 
Linux Kernel Module - For NLKB
shimosawa
 
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
U-Boot presentation 2013
Wave Digitech
 
Device Tree for Dummies (ELC 2014)
Thomas Petazzoni
 
Linux Initialization Process (1)
shimosawa
 
Bootloaders (U-Boot)
Omkar Rane
 
Linux Porting
Anil Kumar Pugalia
 
Multi-signed Kernel Module
SUSE Labs Taipei
 
Linux kernel debugging
libfetion
 
Android Security Internals
Opersys inc.
 
LCU14 500 ARM Trusted Firmware
Linaro
 
Qemu JIT Code Generator and System Emulation
National Cheng Kung University
 
Linux device drivers
Emertxe Information Technologies Pvt Ltd
 
Ad

Similar to Signature verification of kernel module and kexec (20)

PPTX
Introduction to InSpec and 1.0 release update
Alex Pop
 
PDF
EFI Secure Key
SUSE Labs Taipei
 
ODP
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Jan Kalcic
 
PPTX
Upgrade Ubuntu 18.04 Security with Secureboot
Jonathan MICHEL-VILLAZ
 
ODP
Continuous Security
Sysdig
 
PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
Open SSL and MS Crypto API EKON21
Max Kleiner
 
PPTX
DevOpsDays InSpec Workshop
Mandi Walls
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
PDF
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
PDF
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
PPTX
K2000 Scripted Installations
Dell World
 
PPTX
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
PPTX
InSpec Workshop at Velocity London 2018
Mandi Walls
 
PDF
kubernetes - minikube - getting started
Munish Mehta
 
PDF
CERN OpenStack Cloud Control Plane - From VMs to K8s
Belmiro Moreira
 
PDF
Docker Runtime Security
Sysdig
 
PDF
DockerCon EU 2015: Trading Bitcoin with Docker
Docker, Inc.
 
PDF
Pro2516 10 things about oracle and k8s.pptx-final
Michel Schildmeijer
 
PDF
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
 
Introduction to InSpec and 1.0 release update
Alex Pop
 
EFI Secure Key
SUSE Labs Taipei
 
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Jan Kalcic
 
Upgrade Ubuntu 18.04 Security with Secureboot
Jonathan MICHEL-VILLAZ
 
Continuous Security
Sysdig
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Open SSL and MS Crypto API EKON21
Max Kleiner
 
DevOpsDays InSpec Workshop
Mandi Walls
 
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
K2000 Scripted Installations
Dell World
 
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
InSpec Workshop at Velocity London 2018
Mandi Walls
 
kubernetes - minikube - getting started
Munish Mehta
 
CERN OpenStack Cloud Control Plane - From VMs to K8s
Belmiro Moreira
 
Docker Runtime Security
Sysdig
 
DockerCon EU 2015: Trading Bitcoin with Docker
Docker, Inc.
 
Pro2516 10 things about oracle and k8s.pptx-final
Michel Schildmeijer
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
 
Ad

Recently uploaded (20)

PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
System and Network Administraation Chapter 3
jaramharo
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Introduction to Artificial Intelligence
lohedi9363
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
System and Network Administration Chapter 2
jaramharo
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 

Signature verification of kernel module and kexec

  • 1. Signature verification ofSignature verification of kernel module and kexeckernel module and kexec October, 2016, openSUSE.Asia 2016, YogyakartaOctober, 2016, openSUSE.Asia 2016, Yogyakarta Joey Lee, SUSE Labs Taipei
  • 2. 2 Agenda ‱ Kernel module signing – How to enable it – Sign kernel module – The mechanism of verification ‱ kexec: Verify signature of PE signed bzImage – How to enable it – Sign kernel PE binary for loading with kexec-file – The mechanism of kexec-file syscall ‱ Q&A
  • 4. 4 Kernel Module Signing Facility ‱ Introduced since v3.7-rc1 kernel ‱ Author: David Howells – https://lkml.org/lkml/2012/9/24/631 – crypto algorithm: RSA – Key identifier type: X.509 ‱ The kernel module signing facility cryptographically signs modules during installation and then checks the signature upon loading the module. ‱ This allows increased kernel security by disallowing the loading of unsigned modules or modules signed with an invalid key. [1]
  • 5. 5 How to enable modsign ‱ CONFIG_MODULE_SIG=y – Module signature verification ‱ CONFIG_MODULE_SIG_FORCE – Require modules to be validly signed ‱ CONFIG_MODULE_SIG_ALL – Automatically sign all modules ‱ CONFIG_MODULE_SIG_SHA* – which hash algorithm the installation phase will sign the modules with – e.g. CONFIG_MODULE_SIG_SHA512
  • 6. 6 How to enable modsign (cont.) ‱ CONFIG_MODULE_SIG_KEY – File name or PKCS#11 URI of module signing key – Default: certs/signing_key.pem ‱ CONFIG_SYSTEM_TRUSTED_KEYS – Additional X.509 keys for default system keyring ‱ CONFIG_MODULE_SIG_UEFI=y (SUSE) – Load certificate from db, dbx, mok and mokx
  • 7. 7 module signing key ‱ CONFIG_MODULE_SIG_KEY – File name or PKCS#11 URI of module signing key – Default: ● CONFIG_MODULE_SIG_KEY="certs/signing_key.p em" ● certs/signing_key.pem (private key + public key) ● certs/signing_key.x509 (only public key)
  • 9. 9 module signing key (cont.) ‱ Show private key – openssl rsa -in certs/signing_key.pem -noout -text | less
  • 10. 10 module signing key (cont.) ‱ Show certificate (includes public key) – openssl x509 -in certs/signing_key.pem -inform PEM -noout -text | less – openssl x509 -in certs/signing_key.x509 -inform DER -noout -text | less
  • 11. 11 x509.genkey ‱ During the building of vmlinux (the public part of the key needs to be built into vmlinux) using parameters in the: certs/x509.genkey ‱ This file is also generated if it does not already exist [1] ‱ Most notably, in the x509.genkey file, the req_distinguished_name section ‱ should be altered from the default: – [ req_distinguished_name ] #O = Unspecified company CN = Build time autogenerated kernel key #emailAddress = unspecified.user@unspecified.company ‱ The generated RSA key size can also be set with: [ req ] default_bits = 4096
  • 13. 13 sign module ‱ scripts/sign-file – ./scripts/sign-file sha1 certs/signing_key.pem certs/signing_key.x509 drivers/platform/x86/acer-wmi.ko ~/acer-wmi-signed.ko ‱ CONFIG_MODULE_SIG_ALL=y – Automatically sign all modules when “make modules_install”
  • 14. 14 Require modules to be validly signed ‱ CONFIG_MODULE_SIG_FORCE=y – insmod: ERROR: could not insert module acer-wmi-unsign.ko: Required key not available ‱ ‱ CONFIG_MODULE_SIG_FORCE not set – module verification failed: signature and/or required key missing - tainting kernel – Taint kernel by 'E' flag
  • 20. 20
  • 21. 21 MOKutil ‱ Import your certificate to machine owner key(MOK) variable. ‱ Linux kernel loads certificate from MOK to verify kernel module. ‱ # mokutil --root-pw --import certs/signing_key.x509
  • 23. kexec: verify signaturekexec: verify signature
  • 24. 24 kexec: Verify signature of PE signed bzImage ‱ Introduced since v3.7-rc1 kernel ‱ Author: Vivek Goyal – https://lkml.org/lkml/2014/7/3/749 – x86_64 only – Base on: ● kexec: A new system call to allow in kernel loading ● PKCS7 signature support ‱ Now kexec bzImage loader calls into pefile parser and passes the PE signed bzImage for signature verification.
  • 25. 25 How to enable kexec verify ‱ CONFIG_KEXEC_FILE=y – kexec file based system call ‱ CONFIG_KEXEC_VERIFY_SIG=y – Verify kernel signature during kexec_file_load() syscall ‱ CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y – Enable bzImage signature verification support
  • 26. 26 The EFI Boot Stub ‱ On the x86 and ARM platforms, a kernel zImage/bzImage can masquerade as a PE/COFF image, thereby convincing EFI firmware loaders to load it as an EFI executable. [2] ‱ CONFIG_EFI_STUB=y ‱ The bzImage located in arch/x86/boot/bzImage must be copied to the EFI System Partition (ESP) and renamed with the extension ".efi". ‱ Using EFI shell to execute EFI stub kernel ‱ Grub2 supports kernel x86 boot protocol 2.11 (since v3.6) – Protocol 2.11: (Kernel 3.6) Added a field for offset of EFI handover protocol entry point. [5] – With linuxefi/initrdefi grub2 module
  • 27. 27 Key was rejected by service
  • 28. 28 sign your bzImage ‱ set CONFIG_MODULE_SIG=y to generate signing_key.* – Or using your own key-pair ‱ Enroll certificate to MOK to shim for kernel verification – mokutil --root-pw --import certs/signing_key.x509 ‱ Install mozilla-nss-tools, openssl and pesign – zypper in mozilla-nss-tools openssl pesign
  • 29. 29 sign your bzImage (cont.) ‱ Create certificate database for signing (certdb) – mkdir $WORKSPACE – cp $KERNEL_SOURCE/certs/signing_key.* ./ – mkdir certdb – certutil -d certdb/ -A -i signing_key.x509 -n cert -t CT,CT,CT ‱ Hierarchy /root/kexec-sign/: certdb signing_key.pem signing_key.x509 /root/kexec-sign/certdb: cert8.db key3.db secmod.db
  • 30. 30 sign your bzImage (cont.) ‱ Using pesign to sign kernel – pesign -n certdb/ -i /boot/"$TARGET_KERNEL" -E ./"$TARGET_KERNEL".sattrs – openssl dgst -sha256 -sign signing_key.pem ./"$TARGET_KERNEL".sattrs > ./"$TARGET_KERNEL".sattrs.sig – pesign -n certdb/ -c cert -i /boot/"$TARGET_KERNEL" -R ./"$TARGET_KERNEL".sattrs.sig -I ./"$TARGET_KERNEL".sattrs -o ./"$TARGET_KERNEL".signed – pesign -S -i ./"$TARGET_KERNEL".signed ‱ Help script: kexec-sign-test.sh – https://github.com/joeyli/hackweek/blob/master/kexec-sign-test/kexec-sign-test.sh – kexec-sign-test.sh init ~/kernel-source.nfs – kexec-sign-test.sh sign vmlinuz-4.4.21-default+
  • 31. 31 Load signed kernel ‱ Load signed kernel with kexec-file system call for testing – /sbin/kexec -s -p ./$SIGNED_KERNEL --append="ro quiet elevator=deadline sysrq=yes reset_devices acpi_no_memhotplug cgroup_disable=memory irqpoll nr_cpus=1 disable_cpu_apicid=0 noefi acpi_rsdp=0xdfbfe014 panic=1" ‱ Copy signed kernel to /boot folder to replace the unsigned kernel: – # cp /root/kexec-sign/vmlinuz-4.4.21-default+.signed /boot/vmlinuz- 4.4.21-default+ ‱ Reboot and check the kdump status: – # systemctl status kdump -l
  • 34. 34 Embedded signatures of PE/COFF ‱ CONFIG_EFI_STUB=y – On the x86 and ARM platforms, a kernel zImage/bzImage can masquerade as a PE/COFF image, thereby convincing EFI firmware loaders to load it as an EFI executable. ‱ Authenticode signature format [4] – AuthenticodeÂź is a digital signature format that is used to determine the origin and integrity of software binaries. – Authenticode is based on Public-Key Cryptography Standards (PKCS) #7 signed data and X.509 certificates to bind an Authenticode- signed binary to the identity of a software publisher.
  • 35. 35 Embedded signatures of PE/COFF (cont.)
  • 36. 36
  • 39. 39 References ‱ [1] Documentation/module-signing.txt – https://www.kernel.org/doc/Documentation/module-signing.tx ‱ [2] Documentation/efi-stub.txt – https://www.kernel.org/doc/Documentation/efi-stub.txt ‱ [3] Unified Extensible Firmware Interface Specification, Version 2.6, January 2016 ‱ [4] Windows Authenticode Portable Executable Signature Format ‱ [5] Documentation/x86/boot.txt
  • 41. 41

Editor's Notes

  • #12: CN: Common Name Organization (O)
  • #39: Terima kasih. ćŸ—ç†ćȘœć˜Žè„ż
  • #40: Theory Mathematics