Kernel Module Signing

The kernel module signing facility signs modules during installation and then checks the signature upon loading the module. This allows increased kernel security by disallowing the loading of unsigned modules or modules that were signed with an invalid key.

Here are the kernel configure options for kernel module signing:

• To enable kernel module signature verification, in the Enable Loadable Module Support section, enable CONFIG_MODULE_SIG.

• To select the kernel module signature verification mode, set the CONFIG_MODULE_SIG_FORCE to one of the following options:

  • off: permissive mode.

    • If the module is signed, it must have a trusted signature.

    • If the module is not signed, it can be loaded, and the kernel is marked as tainted.

  • on: restrictive mode.

    • Modules can only be loaded if they are signed with a trusted signature.

    • The other modules will generate an error.

• To enable automatic kernel module signing at build time, set the CONFIG_MODULE_SIG_ALL.

Note

By default, kernel modules are not signed at build time even if kernel module signature verification is enabled.

• To specify your signing keys, set the CONFIG_MODULE_SIG_KEY with your own PEM format private key.

  • By default, if CONFIG_MODULE_SIG_KEY=”certs/signing_key.pem” is not changed, the kernel automatically generates the PEM format signing key for the kernel module signing.

  • Setting CONFIG_MODULE_SIG_KEY to something other than the certs/signing_key.pem default value disables the auto-generation of signing keys and allows the kernel module to be signed with a key that you select.

Note

The CONFIG_SYSTEM_TRUSTED_KEYS kernel option can also be set to the filename of a PEM-encoded file that contains the additional certificates. It is an X.509 certificate that is compiled into the kernel and used for kernel module verification for modules that are not signed at kernel build time. Refer to Kernel module signing facility for more information.