2

I read what David Howells wrote on: https://kernel.googlesource.com/pub/scm/linux/kernel/git/dhowells/linux-modsign/+/modsign-rusty/Documentation/module-signing.txt

I heard that the CONFIG_MODULE_SIG has to be turned on, but it was not stated particularly how. I am also not sure how to use a kernel make command.

I am not able to piece together enough information to generate a mini signed LKM.

Would anyone here have done it before, and able to guide me on a minimallist example on signing a helloworld LKM?

Ursa Major
  • 851
  • 7
  • 25
  • 47

2 Answers2

2

For enabling CONFIG_MODULE_SIG, simply in configure file (.config), have this line:

CONFIG_MODULE_SIG=y

I've not tried, but I think even you can have CONFIG_MODULE_SIG=y in make command like:

make CONFIG_MODULE_SIG=y

For how to build a LKM for android, there is several tutorials in internet, for example take a look at this: How do you create a loadable kernel module for Android?

Community
  • 1
  • 1
72DFBF5B A0DF5BE9
  • 4,954
  • 3
  • 21
  • 24
  • the signature is still not embedded. I am not sure how to sign the module. – Ursa Major Feb 01 '14 at 07:15
  • 1
    @UrsaMajor support for kernel signed modules started from Linux 3.7: http://kernelnewbies.org/Linux_3.7, signing a kernel module for android is same as signing kernel module for linux. What is your linux kernel? – 72DFBF5B A0DF5BE9 Feb 01 '14 at 18:33
  • there is alot of description but unclear. eg. set config. where? set what? which path? eg. use this command. specifically how? Example is the best definition. It would be most efficient that way. Thank you, 72DFBF5B A0DF5BE9, for your help. +1 for you. – Ursa Major Feb 01 '14 at 18:52
  • 1
    @UrsaMajor, just see this: http://yatsec.blogspot.com/2011/01/guide-to-compiling-custom-kernel.html there is much more, about CONFIG_MODULE_SIG=y you can add it to Makefile or just in make command line as I said in my answer. – 72DFBF5B A0DF5BE9 Feb 01 '14 at 18:56
  • this is great ! They should do this. Very direct, clear and sweet. – Ursa Major Feb 01 '14 at 21:05
  • 1
    @UrsaMajor, glad you liked it. Do you have any other question? Otherwise you can close this question – 72DFBF5B A0DF5BE9 Feb 01 '14 at 21:08
  • Hi @72DFBF5B A0DF5BE9, I am +50 bounty for you. Please allow me to ask further question if I meet some blocking point in the process. Thank you. – Ursa Major Feb 02 '14 at 03:48
  • 1
    @UrsaMajor, you are welcome, sure, just ask me here about upcoming problems/questions. – 72DFBF5B A0DF5BE9 Feb 02 '14 at 03:49
  • As a manual step, how may we create a linker command script to insert the signature manually into the ELF headers? During runtime authentication, how may we read contents from the ELF header from the kernel module? – Ursa Major Feb 02 '14 at 03:57
  • 1
    @UrsaMajor, for example you can see http://www.jukie.net/~bart/elfpgp/, also you can use signelf: http://lkml.indiana.edu/hypermail/linux/kernel/1301.1/04326.html – 72DFBF5B A0DF5BE9 Feb 02 '14 at 04:39
  • how do we read the .rodata from the kernel? can you advise me on a code snippet? – Ursa Major Feb 02 '14 at 05:52
  • 1
    do readelf -S, it will give you offset and size of rodata, just read that bytes: "# readelf -S yourbinary.elf" – 72DFBF5B A0DF5BE9 Feb 02 '14 at 06:13
  • 1
    also you can do: objdump -s -j .rodata elffile – 72DFBF5B A0DF5BE9 Feb 02 '14 at 06:14
  • 1
    @UrsaMajor, you need to write some special code for it if you want to extract .rodata of ELF, similar to objdump and readelf, you need to write your own code. Unless you are asking for something else, is it? If you are asking for something else, explain it, otherwise you need to write some codes similar to readelf to parse ELF header, find rodata section and extract bytes – 72DFBF5B A0DF5BE9 Feb 02 '14 at 06:17
  • yes, it is what I am asking. is there a code snippet for this? – Ursa Major Feb 02 '14 at 06:49
  • 1
    gnu binutils contains objdump: http://ftp.gnu.org/gnu/binutils/, readelf source: http://sourceforge.net/apps/trac/elftoolchain/browser/trunk/readelf – 72DFBF5B A0DF5BE9 Feb 02 '14 at 06:54
1

CONFIG_MODULE_SIG=y only enables feature, to enforce it you also have to put CONFIG_MODULE_SIG_FORCE=y in the config file.

basically I found that there are three flags associated with this feature: CONFIG_MODULE_SIG=y #to enable the feature CONFIG_MODULE_SIG_ALL=y #to sign all the loadable modules during build process CONFIG_MODULE_SIG_FORCE=y #to enforce the feature so that no unsigned module can be loaded.

vinit patel
  • 11
  • 1