DevHeads.net

Signing Kernel Module with the Private Key

crossposting devel@ and kernel@ since it's both kernel and documentation related

I'm not finding an updated version of this documentation:
<a href="https://docs.fedoraproject.org/en-US/Fedora/26/html/System_Administrators_Guide/sect-signing-kernel-module-with-the-private-key.html" title="https://docs.fedoraproject.org/en-US/Fedora/26/html/System_Administrators_Guide/sect-signing-kernel-module-with-the-private-key.html">https://docs.fedoraproject.org/en-US/Fedora/26/html/System_Administrator...</a>

And when I follow that, copy/pasting the perl script is stomping on my
kernel modules, making them zero length files. I also can't tell from
the documentation if this perl script should work on xz compressed
kernel modules, which they are by default on Fedora. I've tried it
both ways and still get zero length files, so I'm guessing the
documentation has gone stale or maybe the signing script has - not
sure how to troubleshoot it.

Comments

Re: Signing Kernel Module with the Private Key

By Samuel Sieb at 01/10/2019 - 03:03

On 1/9/19 10:03 PM, Chris Murphy wrote:
That script is a badly formatted copy from a terminal window. The "\ >"
parts are supposed to be the end of the line and the continuation marker
of the next. The script should be

perl /usr/src/kernels/$(uname -r)/scripts/sign-file sha256
my_signing_key.priv my_signing_key_pub.der my_module.ko

all on one line (in case email processing breaks it). I would assume
the kernel module can't be compressed for the signing.

Re: Signing Kernel Module with the Private Key

By Chris Murphy at 01/10/2019 - 04:08

On Thu, Jan 10, 2019 at 12:03 AM Samuel Sieb < ... at sieb dot net> wrote:
OK that fixes the zero length file problem. But I still get this
unrecognized character error, whether compressed or not.

[root@fnuc extra]# perl
/usr/src/kernels/4.19.14-300.fc29.x86_64/scripts/sign-file sha256
/home/chris/MOK.priv /home/chris/MOK.der icp.ko
Unrecognized character \x7F; marked by <-- HERE after <-- HERE near
column 1 at /usr/src/kernels/4.19.14-300.fc29.x86_64/scripts/sign-file
line 1.
[root@fnuc extra]# perl
/usr/src/kernels/4.19.14-300.fc29.x86_64/scripts/sign-file sha256
/home/chris/MOK.priv /home/chris/MOK.der splat.ko
Unrecognized character \x7F; marked by <-- HERE after <-- HERE near
column 1 at /usr/src/kernels/4.19.14-300.fc29.x86_64/scripts/sign-file
line 1.

File size and time stamp haven't changed so I'm assuming it's not signed.

Re: Signing Kernel Module with the Private Key

By David Howells at 01/16/2019 - 10:57

That is correct till RHEL-8.

That is correct.

David

Re: Signing Kernel Module with the Private Key

By =?utf-8?q?Nicol... at 01/10/2019 - 06:47

Hello Chris,

As Petr Pisar said it, last Fedora's kernel uses a compiled binary software sign-file file. It
is still a perl script in RHEL.

Your command line should work if you remove perl invocation:

/usr/src/kernels/4.19.14-300.fc29.x86_64/scripts/sign-file sha256
/home/chris/MOK.priv /home/chris/MOK.der

providing you enrolled your public key in MOK with mokutil.

Concerning compressing modules, they have to be built, stripped (if
needed), signed and compressed, in that order to make them work with
secure boot.
So if the build process compresses your modules automatically, you have
to decompress them before signing, and re-compress them after signing.

Hope this will help you.

Cordially,

Re: Signing Kernel Module with the Private Key

By Petr Pisar at 01/10/2019 - 04:38

On 2019-01-10, Chris Murphy < ... at colorremedies dot com> wrote:
The sign-file is not a Perl script. It's an ELF executable. You are
trying to interpreter the sign-file as a Perl code using a perl
interpreter. While perl can usually interpret any garbage, this is an
exception :)

-- Petr