Kernel Module Signing

msh · January 25, 2022, 3:33pm

I would like to use signed kernel module [https://www.kernel.org/doc/html/v4.10/admin-guide/module-signing.html]. Is this feature available in Openwrt?

jow · January 25, 2022, 3:52pm

No, kernel module signing is not implemented.

msh · January 25, 2022, 8:10pm

Where would be the best place to keep the hook something like below?


function pre_pkg_preinst() {
    # This hook signs any out-of-tree kernel modules.
    if [[ "$(type -t linux-mod_pkg_preinst)" != "function" ]]; then
        # The package does not seem to install any kernel modules.
        return
    fi
    # Get the signature algorithm used by the kernel.
    local module_sig_hash="$(grep -Po '(?<=CONFIG_MODULE_SIG_HASH=").*(?=")' "${KERNEL_DIR}/.config")"
    # Get the key file used by the kernel.
    local module_sig_key="$(grep -Po '(?<=CONFIG_MODULE_SIG_KEY=").*(?=")' "${KERNEL_DIR}/.config")"
    module_sig_key="${module_sig_key:-certs/signing_key.pem}"
    # Path to the key file or PKCS11 URI
    if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
        local key_path="${KERNEL_DIR}/${module_sig_key}"
    else
        local key_path="${module_sig_key}"
    fi
    # Certificate path
    local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
    # Sign all installed modules before merging.
    find "${D%/}/${INSDESTTREE#/}/" -name "*.ko" -exec "${KERNEL_DIR}/scripts/sign-file" "${module_sig_hash}" "${key_path}" "${cert_path}" '{}' \;
}

This is script from [https://wiki.gentoo.org/wiki/Signed_kernel_module_support].

Any suggestion?

msh · January 27, 2022, 4:12pm

One quick way to try it out is below:

diff --git a/include/image.mk b/include/image.mk
index fdbc71645a..b9c465fc27 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -276,6 +276,11 @@ define Image/Manifest
 		$(BIN_DIR)/$(IMG_PREFIX)$(if $(PROFILE_SANITIZED),-$(PROFILE_SANITIZED)).manifest
 endef
 
+define Image/Signkmod
+	echo "Signing KMOD........................................................................"
+	find "$(TARGET_DIR)/lib/modules" -name "*.ko" -exec "$(LINUX_DIR)/scripts/sign-file" sha1 $(LINUX_DIR)/certs/signing_key.pem $(LINUX_DIR)/certs/signing_key.x509 '{}' \;
+endef
+
 define Image/gzip-ext4-padded-squashfs
 
   define Image/Build/squashfs
@@ -768,11 +773,13 @@ define BuildImage
   endif
 
   kernel_prepare: image_prepare
+	$(call Image/Signkmod)
 	$(call Image/Build/targz)
 	$(call Image/Build/cpiogz)
 	$(call Image/BuildKernel)
 	$(if $(CONFIG_TARGET_ROOTFS_INITRAMFS),$(if $(IB),,$(call Image/BuildKernel/Initramfs)))
 	$(call Image/InstallKernel)
+
 .NOTPARALLEL :
   $(foreach device,$(TARGET_DEVICES),$(call Device,$(device)))

This will sign kmod in the image only.