Signature verification of kernel module and kexec

Signature verification ofSignature verification of
kernel module and kexeckernel module and kexec
October, 2016, openSUSE.Asia 2016, YogyakartaOctober, 2016, openSUSE.Asia 2016, Yogyakarta
Joey Lee, SUSE Labs Taipei

2
Agenda
• Kernel module signing
– How to enable it
– Sign kernel module
– The mechanism of verification
• kexec: Verify signature of PE signed bzImage
– How to enable it
– Sign kernel PE binary for loading with kexec-file
– The mechanism of kexec-file syscall
• Q&A

Kernel module signingKernel module signing

4
Kernel Module Signing Facility
• Introduced since v3.7-rc1 kernel
• Author: David Howells
– https://lkml.org/lkml/2012/9/24/631
– crypto algorithm: RSA
– Key identifier type: X.509
• The kernel module signing facility cryptographically signs
modules during installation and then checks the signature
upon loading the module.
• This allows increased kernel security by disallowing the
loading of unsigned modules or modules signed with an
invalid key. [1]

5
How to enable modsign
• CONFIG_MODULE_SIG=y
– Module signature verification
• CONFIG_MODULE_SIG_FORCE
– Require modules to be validly signed
• CONFIG_MODULE_SIG_ALL
– Automatically sign all modules
• CONFIG_MODULE_SIG_SHA*
– which hash algorithm the installation phase will sign the
modules with
– e.g. CONFIG_MODULE_SIG_SHA512

6
How to enable modsign (cont.)
• CONFIG_MODULE_SIG_KEY
– File name or PKCS#11 URI of module signing key
– Default: certs/signing_key.pem
• CONFIG_SYSTEM_TRUSTED_KEYS
– Additional X.509 keys for default system keyring
• CONFIG_MODULE_SIG_UEFI=y (SUSE)
– Load certificate from db, dbx, mok and mokx

7
module signing key
• CONFIG_MODULE_SIG_KEY
– File name or PKCS#11 URI of module signing key
– Default:
● CONFIG_MODULE_SIG_KEY="certs/signing_key.p
em"
● certs/signing_key.pem (private key + public key)
● certs/signing_key.x509 (only public key)

9
module signing key (cont.)
• Show private key
– openssl rsa -in certs/signing_key.pem -noout -text | less

10
module signing key (cont.)
• Show certificate (includes public key)
– openssl x509 -in certs/signing_key.pem -inform PEM -noout -text | less
– openssl x509 -in certs/signing_key.x509 -inform DER -noout -text | less

11
x509.genkey
• During the building of vmlinux (the public part of the key needs to be built into
vmlinux) using parameters in the:
certs/x509.genkey
• This file is also generated if it does not already exist [1]
• Most notably, in the x509.genkey file, the req_distinguished_name section
• should be altered from the default:
– [ req_distinguished_name ]
#O = Unspecified company
CN = Build time autogenerated kernel key
#emailAddress = unspecified.user@unspecified.company
• The generated RSA key size can also be set with:
[ req ]
default_bits = 4096

13
sign module
• scripts/sign-file
– ./scripts/sign-file sha1 certs/signing_key.pem certs/signing_key.x509
drivers/platform/x86/acer-wmi.ko ~/acer-wmi-signed.ko
• CONFIG_MODULE_SIG_ALL=y
– Automatically sign all modules when “make
modules_install”

14
Require modules to be validly signed
• CONFIG_MODULE_SIG_FORCE=y
– insmod: ERROR: could not insert module acer-wmi-unsign.ko: Required
key not available
•
• CONFIG_MODULE_SIG_FORCE not set
– module verification failed: signature and/or required key missing -
tainting kernel
– Taint kernel by 'E' flag

18
PKEY_ID_X509 type (before v3.18)

19
PKEY_ID_PKCS7 type (after v3.18)

21
MOKutil
• Import your certificate to machine owner key(MOK) variable.
• Linux kernel loads certificate from MOK to verify kernel module.
• # mokutil --root-pw --import certs/signing_key.x509

kexec: verify signaturekexec: verify signature

24
kexec: Verify signature of PE signed bzImage
• Introduced since v3.7-rc1 kernel
• Author: Vivek Goyal
– https://lkml.org/lkml/2014/7/3/749
– x86_64 only
– Base on:
● kexec: A new system call to allow in kernel loading
● PKCS7 signature support
• Now kexec bzImage loader calls into pefile parser and
passes the PE signed bzImage for signature verification.

25
How to enable kexec verify
• CONFIG_KEXEC_FILE=y
– kexec file based system call
• CONFIG_KEXEC_VERIFY_SIG=y
– Verify kernel signature during kexec_file_load() syscall
• CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
– Enable bzImage signature verification support

26
The EFI Boot Stub
• On the x86 and ARM platforms, a kernel zImage/bzImage can
masquerade as a PE/COFF image, thereby convincing EFI
firmware loaders to load it as an EFI executable. [2]
• CONFIG_EFI_STUB=y
• The bzImage located in arch/x86/boot/bzImage must be copied
to the EFI System Partition (ESP) and renamed with the
extension ".efi".
• Using EFI shell to execute EFI stub kernel
• Grub2 supports kernel x86 boot protocol 2.11 (since v3.6)
– Protocol 2.11: (Kernel 3.6) Added a field for offset of EFI handover
protocol entry point. [5]
– With linuxefi/initrdefi grub2 module

27
Key was rejected by service

28
sign your bzImage
• set CONFIG_MODULE_SIG=y to generate signing_key.*
– Or using your own key-pair
• Enroll certificate to MOK to shim for kernel verification
– mokutil --root-pw --import certs/signing_key.x509
• Install mozilla-nss-tools, openssl and pesign
– zypper in mozilla-nss-tools openssl pesign

29
sign your bzImage (cont.)
• Create certificate database for signing (certdb)
– mkdir $WORKSPACE
– cp $KERNEL_SOURCE/certs/signing_key.* ./
– mkdir certdb
– certutil -d certdb/ -A -i signing_key.x509 -n cert -t CT,CT,CT
• Hierarchy
/root/kexec-sign/:
certdb signing_key.pem signing_key.x509
/root/kexec-sign/certdb:
cert8.db key3.db secmod.db

30
sign your bzImage (cont.)
• Using pesign to sign kernel
– pesign -n certdb/ -i /boot/"$TARGET_KERNEL"
-E ./"$TARGET_KERNEL".sattrs
– openssl dgst -sha256 -sign signing_key.pem ./"$TARGET_KERNEL".sattrs
> ./"$TARGET_KERNEL".sattrs.sig
– pesign -n certdb/ -c cert -i /boot/"$TARGET_KERNEL"
-R ./"$TARGET_KERNEL".sattrs.sig -I ./"$TARGET_KERNEL".sattrs
-o ./"$TARGET_KERNEL".signed
– pesign -S -i ./"$TARGET_KERNEL".signed
• Help script: kexec-sign-test.sh
– https://github.com/joeyli/hackweek/blob/master/kexec-sign-test/kexec-sign-test.sh
– kexec-sign-test.sh init ~/kernel-source.nfs
– kexec-sign-test.sh sign vmlinuz-4.4.21-default+

31
Load signed kernel
• Load signed kernel with kexec-file system call for testing
– /sbin/kexec -s -p ./$SIGNED_KERNEL --append="ro quiet
elevator=deadline sysrq=yes reset_devices acpi_no_memhotplug
cgroup_disable=memory irqpoll nr_cpus=1 disable_cpu_apicid=0 noefi
acpi_rsdp=0xdfbfe014 panic=1"
• Copy signed kernel to /boot folder to replace the unsigned
kernel:
– # cp /root/kexec-sign/vmlinuz-4.4.21-default+.signed /boot/vmlinuz-
4.4.21-default+
• Reboot and check the kdump status:
– # systemctl status kdump -l

34
Embedded signatures of PE/COFF
• CONFIG_EFI_STUB=y
– On the x86 and ARM platforms, a kernel zImage/bzImage can
masquerade as a PE/COFF image, thereby convincing EFI firmware
loaders to load it as an EFI executable.
• Authenticode signature format [4]
– Authenticode® is a digital signature format that is used to determine the
origin and integrity of software binaries.
– Authenticode is based on Public-Key Cryptography Standards
(PKCS) #7 signed data and X.509 certificates to bind an Authenticode-
signed binary to the identity of a software publisher.

35
Embedded signatures of PE/COFF (cont.)

Terima Kasih!Terima Kasih!
謝謝謝謝 !!
Thank you!Thank you!

39
References
• [1] Documentation/module-signing.txt
– https://www.kernel.org/doc/Documentation/module-signing.tx
• [2] Documentation/efi-stub.txt
– https://www.kernel.org/doc/Documentation/efi-stub.txt
• [3] Unified Extensible Firmware Interface Specification,
Version 2.6, January 2016
• [4] Windows Authenticode Portable Executable Signature
Format
• [5] Documentation/x86/boot.txt

40
Join us on:
www.opensuse.org

Signature verification of kernel module and kexec

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Signature verification of kernel module and kexec

Similar to Signature verification of kernel module and kexec (20)

Recently uploaded

Recently uploaded (20)

Signature verification of kernel module and kexec

Editor's Notes