弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

make M=net/netfilter

hatenablog.com→Linux kernel moduleビルドのメモ

wiki.archlinux.jp→カーネルモジュールのコンパイル

$ tar -zxvf linux-5.6.18.tar.gz
$ cd linux-5.6.18
$ cp /usr/lib/modules/`uname -r`/build/.config .
$ cp /usr/lib/modules/`uname -r`/build/Module.symvers .
$ make prepare && make scripts
$ make M=net/netfilter
$ xz net/netfilter/nfnetlink_queue.ko
# cp net/netfilter/nfnetlink_queue.ko.xz /usr/lib/modules/`uname -r`/update/.
# rmmod nfnetlink_queue
# modprobe nfnetlink_queue
# lsmod|grep nfnetlink_queue

[66496.487385] Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7

おぉぉw、カーネルモジュールに署名する仕掛けになってるのかw

community.oracle.com→How to load custom kernel module with Secure Boot (OL8.1 UEK6)

cat >>/tmp/x509.conf <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = extensions

[ req_distinguished_name ]
O = Example, Inc.
CN = Example, Inc. Kernel signing key
emailAddress = jdoe@example.com

[ extensions ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
 

#Generate keys

openssl req -x509 -new -nodes -utf8 -sha256 -days 99999 -batch -config /tmp/x509.conf -outform DER -out pubkey.der -keyout priv.key
 

#Import key

mokutil --import pubkey.der
 
#Reboot and enroll key

#Sign module

/usr/src/kernels/$(uname -r)/scripts/sign-file sha256 priv.key pubkey.der /lib/modules/$(uname -r)/extra/hello.ko

#I just tried to do this in Fedora 31 with kernel 5.4.17 in another VM with UEFI and Secure Boot and everything is OK.

[Apr 9 23:44] hello: loading out-of-tree module taints kernel.
[  +0.003322] Hello world!

# mokutil --import pubkey.der
# mokutil --enable-validation

# grep MODULE /boot/config-5.6.18-300.fc32.x86_64 
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
CONFIG_STRICT_MODULE_RWX=y
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULES=y
# CONFIG_MODULE_FORCE_LOAD is not set
CONFIG_MODULE_UNLOAD=y
# CONFIG_MODULE_FORCE_UNLOAD is not set
# CONFIG_MODULE_SRCVERSION_ALL is not set
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_SHA384 is not set
# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha256"
# CONFIG_MODULE_COMPRESS is not set
# CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

# modprobe nfnetlink_queue
modprobe: ERROR: could not insert 'nfnetlink_queue': Exec format error
# modprobe --force-vermagic nfnetlink_queue
modprobe: ERROR: could not insert 'nfnetlink_queue': Key was rejected by service
# 

# xz -d nfnetlink_queue.ko.xz
# hexdump -C nfnetlink_queue.ko|tail
000087f0  4f 6c e6 ea fe 8d 83 07  73 d4 88 70 87 98 fc 76  |Ol......s..p...v|
00008800  1b 68 ea f9 c4 f4 bf 40  40 78 a1 a0 45 4d f3 21  |.h.....@@x..EM.!|
00008810  1c f0 e5 9c 26 51 77 1e  fd 73 8a cd da 67 af 61  |....&Qw..s...g.a|
00008820  d9 0f 22 74 41 55 85 a6  f2 89 98 67 39 20 09 c5  |.."tAU.....g9 ..|
00008830  56 c6 14 7d a1 16 82 d8  df ff e6 9b aa 5e 24 09  |V..}.........^$.|
00008840  37 a9 19 31 2c 37 2a 9b  9e 63 a9 bd 93 ac 00 00  |7..1,7*..c......|
00008850  02 00 00 00 00 00 00 00  02 de 7e 4d 6f 64 75 6c  |..........~Modul|
00008860  65 20 73 69 67 6e 61 74  75 72 65 20 61 70 70 65  |e signature appe|
00008870  6e 64 65 64 7e 0a                                 |nded~.|
00008876
# 

askubuntu.com→How to install module.ko module without kernel signature or kernel rebuild in Ubuntu 16.04?

投稿されたコメント:

コメント
コメントは無効になっています。