When you compile a kernel source, you can choose to sign kernel modules using the CONFIG_MODULE_SIG*
options. The modinfo
tool should handle the task of verifying the module signature, but there has been some bug in it for years, and the tool simply can't do the job anymore. All I get is the following:
sig_id: PKCS#7
signer:
sig_key:
sig_hashalgo: md4
signature: 30:82:02:F4:06:09:2A:86:48:86:F7:0D:01:07:02:A0:82:02:E5:30:
...
So there's no key and the hash algorithm is md4, which isn't even compiled in the kernel.
So how to manually check and verify the module signature? Is that even possible?
Best Answer
Yes, that's possible, but it's quite involved.
First you have to extract the module signature -- you can use the
extract-module.sig.pl
script from the kernel source for that:Second, you have to extract the certificate and public key from the kernel; you can use the
extract-sys-certs.pl
script for that:You can also extract the public key from the
certs/signing_key.x509
orcerts/signing_key.pem
files from the linux kernel's build directory.Having done that, you have all the data you need in
/tmp/modsig
and/tmp/cert.x509
and can continue with the dozen or so steps necessary to verify a PKCS#7 signature.You can look at this blog post for the whole recipe.
I've tried to put the whole process (except for the
extract-certs.pl
step) in a perl script.You can use it like this:
YMMV. I've only tried this with a custom built kernel using sha512 signatures. This should be of course much better done by using the openssl libraries directly, instead of kludging together slow and fragile
openssl x509
,asn1parse
andrsautl
invocations.checkmodsig.pl