Linux – No OpenSSL sign-file signing_key.pem leads to error while loading kernel modules

kernelkernel-modulelinuxsslUbuntu

I am having problems while loading/installing a kernel module. The kernel module builds successfully, but whenever I try to make module_install, the kernel seems to fail to load. It leaves the below error message :-

At main.c:158:
    - SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
    - SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178 sign-file: certs/signing_key.pem: No such file or directory
    DEPMOD 4.10.0-20-generic

I have read about this problem and realized that the kernel has now started loading only properly signed modules. I find that the kernel source directory /usr/src/<linux version>/certs in my system does not have the signing_key.pem private key file because of which I see this error.

What should I do ? Can I manually generate a signing_key.pem file and use it further ? What would be some good methods to do so ? Will generating a private key/certificate file using openssl.cnf help me in this regard ? Or should I avoid using signed modules at all and try loading the modules as it is without any verification ?

I am using Ubuntu 17.04 with kernel 4.10.0-20-generic.

Best Answer

In your linux kernel root folder that you're compiling go to the certs folder and run:

openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

Where x509.genkey is a file with the contents:

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

Refer to: https://wiki.gentoo.org/wiki/Signed_kernel_module_support

Option 2, is disable automated signing of modules in the config make menuconfig or make xconfig

Related Solutions

Ubuntu – vmware linux headers not found for ubuntu 10.10

After using Greg Suarez's suggestion, tou will need to patch a few things to get this to work. Taken (and corrected) from: http://blog.gnu-designs.com/solved-building-vmware-workstation-modules-on-linux-2-6-32

tar xvf /usr/lib/vmware/modules/source/vmnet.tar -C /tmp
tar xvf /usr/lib/vmware/modules/source/vmci.tar -C /tmp

cd /tmp

perl -pi -e 's,("vnetInt.h"),\1\n#include "compat_sched.h",' vmnet-only/vnetUserListener.c
perl -pi -e 's,("compat_page.h"),\1\n#include "compat_sched.h",' vmci-only/include/pgtbl.h

tar cvf /usr/lib/vmware/modules/source/vmnet.tar vmnet-only
tar cvf /usr/lib/vmware/modules/source/vmci.tar vmci-only

Now you should be able to continue on with installing vmplayer/workstation

How to digitally sign a 64-bit kernel mode driver

Yes, you need to purchase a certificate from a Trusted Certificate Authority. If anyone could make a certificate, there'd be countless certificates claiming to be "Microsoft Corporation" and it would be virus heaven.

That document you mention is what I used to learn how to sign drivers. I highly recommend you set aside a few days and run through it start to finish. I spent a good part of the week going through it.

All I can offer on top of that is the following batch file which I execute from VS2010 in post-build. It uses a certificate from the computer's certificate store, not a file. The reason it's so complex is I use it in many different circcumstances for many different projects.

Sign.bat

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Signs the project output.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Usage
:: 
:: Post-build event command line:
:: Call "$(ProjectDir)..\..\Sign.bat" "$(ConfigurationName)" "$(TargetPath)"
:: 
:: Run the post-build event:
:: When the build updates the project output

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Input Parameters
:: 
:: %~1   $(ConfigurationName)    The file's configuration.  This function will
::                               use a different certificate for "Debug"
::                               configurations.
:: %~2   $(TargetPath)           The full path of the first file to sign.
:: %~3+  FileName                The names of the remaining files to sign.
::                               These files must reside in the same directory
::                               as %2.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Validate the parameters.
If "%~1"=="Debug" Exit /B 0
If "%~1"=="" Goto Error
If "%~2"=="" Goto Error
Goto Valid

:Error
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Report that the syntax is incorrect.
Echo One or more parameters are missing.
Echo.
Echo %~nx0 configuration filename1 [filename2 ...]
Echo.
Echo configuration      The project configuration.  Usually "Debug" or "Release".
Echo filename1          The full path of the first file to sign.
Echo filename2          The names of addition files to sign.  These files must
Echo                    reside in the same folder as "filename1".
Echo.
Exit /B 1

:Valid
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Change to the assembly's folder.
%~d2
CD %~dp2

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Prepare the list of files to sign.
Set FileList=
:CreateFileList
Set FileList=%FileList% %~snx2
Shift /2
If Not "%~2"=="" Goto CreateFileList

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Sign the assembly files.
Set Store=my
Set Certificate=type the name of your certificate here
Set TimeStampUrl=http://timestamp.verisign.com/scripts/timestamp.dll
C:\WinDDK\7600.16385.1\bin\x86\SignTool.exe Sign /s "%Store%" /n "%Certificate%" /t "%TimeStampUrl%" %FileList%
If %ErrorLevel%==1 Exit /B 1

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Verify the digital signature is valid.
C:\WinDDK\7600.16385.1\bin\x86\SignTool.exe Verify /pa %FileList%

Best Answer

Related Solutions

Ubuntu – vmware linux headers not found for ubuntu 10.10

How to digitally sign a 64-bit kernel mode driver

Related Question