| module-signing.rst (9095bf25ea08135a5b74875dd0e3eeaddc4218a0) | module-signing.rst (dddc7231b9ee253c9e7d23a3bd9d1e3b55613dcb) |
|---|---|
| 1Kernel module signing facility 2------------------------------ 3 4.. CONTENTS 5.. 6.. - Overview. 7.. - Configuring module signing. 8.. - Generating signing keys. --- 166 unchanged lines hidden (view full) --- 175be used instead of an autogenerated keypair. 176 177 178========================= 179Public keys in the kernel 180========================= 181 182The kernel contains a ring of public keys that can be viewed by root. They're | 1Kernel module signing facility 2------------------------------ 3 4.. CONTENTS 5.. 6.. - Overview. 7.. - Configuring module signing. 8.. - Generating signing keys. --- 166 unchanged lines hidden (view full) --- 175be used instead of an autogenerated keypair. 176 177 178========================= 179Public keys in the kernel 180========================= 181 182The kernel contains a ring of public keys that can be viewed by root. They're |
| 183in a keyring called ".system_keyring" that can be seen by:: | 183in a keyring called ".builtin_trusted_keys" that can be seen by:: |
| 184 185 [root@deneb ~]# cat /proc/keys 186 ... | 184 185 [root@deneb ~]# cat /proc/keys 186 ... |
| 187 223c7853 I------ 1 perm 1f030000 0 0 keyring .system_keyring: 1 | 187 223c7853 I------ 1 perm 1f030000 0 0 keyring .builtin_trusted_keys: 1 |
| 188 302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora kernel signing key: d69a84e6bce3d216b979e9505b3e3ef9a7118079: X509.RSA a7118079 [] 189 ... 190 191Beyond the public key generated specifically for module signing, additional 192trusted certificates can be provided in a PEM-encoded file referenced by the 193``CONFIG_SYSTEM_TRUSTED_KEYS`` configuration option. 194 195Further, the architecture code may take public keys from a hardware store and 196add those in also (e.g. from the UEFI key database). 197 198Finally, it is possible to add additional public keys by doing:: 199 | 188 302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora kernel signing key: d69a84e6bce3d216b979e9505b3e3ef9a7118079: X509.RSA a7118079 [] 189 ... 190 191Beyond the public key generated specifically for module signing, additional 192trusted certificates can be provided in a PEM-encoded file referenced by the 193``CONFIG_SYSTEM_TRUSTED_KEYS`` configuration option. 194 195Further, the architecture code may take public keys from a hardware store and 196add those in also (e.g. from the UEFI key database). 197 198Finally, it is possible to add additional public keys by doing:: 199 |
| 200 keyctl padd asymmetric "" [.system_keyring-ID] <[key-file] | 200 keyctl padd asymmetric "" [.builtin_trusted_keys-ID] <[key-file] |
| 201 202e.g.:: 203 204 keyctl padd asymmetric "" 0x223c7853 <my_public_key.x509 205 206Note, however, that the kernel will only permit keys to be added to | 201 202e.g.:: 203 204 keyctl padd asymmetric "" 0x223c7853 <my_public_key.x509 205 206Note, however, that the kernel will only permit keys to be added to |
| 207``.system_keyring _if_`` the new key's X.509 wrapper is validly signed by a key 208that is already resident in the .system_keyring at the time the key was added. | 207``.builtin_trusted_keys _if_`` the new key's X.509 wrapper is validly signed by a key 208that is already resident in the .builtin_trusted_keys at the time the key was added. |
| 209 210 211======================== 212Manually signing modules 213======================== 214 215To manually sign a module, use the scripts/sign-file tool available in 216the Linux kernel source tree. The script requires 4 arguments: --- 69 unchanged lines hidden --- | 209 210 211======================== 212Manually signing modules 213======================== 214 215To manually sign a module, use the scripts/sign-file tool available in 216the Linux kernel source tree. The script requires 4 arguments: --- 69 unchanged lines hidden --- |