Kernel Modules

Back

Installing Kernel modules

  1. Install Kernel module
modprobe hello
  1. Get info about a kernel module
modinfo hello
  1. List Kernel Modules
lsmod
  1. Info / printk messages can be found in journalctl

Signing kernel modules

Installing kernel modules will require the module to be signed. In case a signing key has not been generated a keypair will have to be created

  1. Creating a X.509 conf
cat >> x509.conf <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = extensions

[ req_distinguished_name ]
O = Example, Inc.
CN = Example, Inc. Kernel signing key
emailAddress = jdoe@example.com

[ extensions ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
  1. Generating a keypair
openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.priv
  1. Add the public key as a Machine Owner Key. Restart and in the UEFI Key Manager add the key
mokutil --import signing_key.x509
  1. You can list the installed keys with
mokutil --list-enrolled
  1. Sign the module
/usr/src/kernels/$(uname -r)/scripts/sign-file sha512 signing_key.pem signing_key.x509 /lib/modules/$(uname -r)/extra/hello.ko
  1. Use modprobe to add the module to the Linux Kernel

Further Reading

  1. https://blog.delouw.ch/2017/04/18/signing-linux-kernel-kodules-and-enforce-to-load-only-signed-modules/
  2. https://wiki.gentoo.org/wiki/Signed_kernel_module_support