1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

Signed Kernel Modules Support For Linux 3.7

Linux Kernel

Published on 16 October 2012 05:22 AM EDT
Written by Michael Larabel in Linux Kernel
8 Comments

One of the last merge requests that Linus Torvalds honored this past weekend prior to releasing Linux 3.7-rc1 as the modules pull, which added in module signing support for the Linux kernel.

The work coming out of Red Hat introduces a CONFIG_MODULE_SIG option that enables module signing support. This kernel configuration option causes the build process to sign the kernel modules as they are built and for the resulting kernel to check the modules when they are loaded. The module signing allows for SHA1, SHA224, SHA256, SHA384, and SHA512 cryptographic hashes.

A CONFIG_MODULE_SIG_FORCE option was also added as part of this kernel modules work, which will require any kernel module that is loaded to be signed by a key compiled into the kernel. If the module isn't signed by a key in that kernel, the module will not be loaded.

The accepted patches come via Red Hat's David Howells. The module signing support in its earliest form date back to 2004, but it wasn't agreed upon until just recently about the Linux kernel module signing support and it being acceptable for mainline integration.

The most pressing need for the module signing support is for UEFI SecureBoot so that the Linux kernel can reject loading any unsigned modules, which could pose a threat if it's malicious code or unsigned binary blobs.

The "modules-next" pull that went in on Sunday prior to the closing of the Linux 3.7 kernel that has this "MODSIGN" support can be seen from the web-based Git viewer.
David Howells (30):
Make most arch asm/module.h files use asm-generic/module.h
KEYS: Add payload preparsing opportunity prior to key instantiate or update
MPILIB: Provide count_leading/trailing_zeros() based on arch functions
KEYS: Document asymmetric key type
KEYS: Implement asymmetric key type
KEYS: Asymmetric key pluggable data parsers
KEYS: Asymmetric public-key algorithm crypto key subtype
KEYS: Provide signature verification with an asymmetric key
MPILIB: Reinstate mpi_cmp[_ui]() and export for RSA signature verification
RSA: Implement signature verification algorithm [PKCS#1 / RFC3447]
RSA: Fix signature verification for shorter signatures
X.509: Implement simple static OID registry
X.509: Add utility functions to render OIDs as strings
X.509: Add simple ASN.1 grammar compiler
X.509: Add an ASN.1 decoder
MPILIB: Provide a function to read raw data into an MPI
X.509: Add a crypto key parser for binary (DER) X.509 certificates
MODSIGN: Add FIPS policy
MODSIGN: Provide gitignore and make clean rules for extra files
MODSIGN: Provide Kconfig options
MODSIGN: Automatically generate module signing keys if missing
MODSIGN: Provide module signing public keys to the kernel
MODSIGN: Implement module signature checking
MODSIGN: Provide a script for generating a key ID from an X.509 cert
MODSIGN: Sign modules during the build process
MODSIGN: Use the same digest for the autogen key sig as for the module sig
MODSIGN: Use utf8 strings in signer's name in autogenerated X.509 certs
MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking
X.509: Convert some printk calls to pr_devel
X.509: Fix indefinite length element skip error handling

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Linux Hardware Reviews
  1. MSI X99S SLI PLUS On Linux
  2. NVIDIA GeForce GTX 970 Offers Great Linux Performance
  3. CompuLab Intense-PC2: An Excellent, Fanless, Mini PC Powered By Intel's i7 Haswell
  4. From The Atom 330 To Haswell ULT: Intel Linux Performance Benchmarks
Latest Linux Articles
  1. RunAbove: A POWER8 Compute Cloud With Offerings Up To 176 Threads
  2. 6-Way Ubuntu 14.10 Linux Desktop Benchmarks
  3. Ubuntu 14.10 XMir System Compositor Benchmarks
  4. Btrfs RAID HDD Testing On Ubuntu Linux 14.10
Latest Linux News
  1. openSUSE Factory & Tumbleweed Are Merging
  2. More Fedora Delays: Fedora 21 Beta Slips
  3. Mono Brings C# To The Unreal Engine 4
  4. Coreboot Now Has Support For Intel Broadwell Hardware
  5. Enlightenment's EFL 1.12 Alpha Has Evas GL-DRM Engine, OpenGL ES 1.1 Support
  6. GTK+ Lands Experimental Backend For Mir Display Server
  7. Ubuntu 14.10 Officially Released
  8. Mesa 10.4 Might Re-Enable HyperZ For R600g/RadeonSI
  9. Intel GVT-g GPU Virtualization Moves Closer
  10. GTK+ 3.16 To Bring Several New Features
Latest Forum Discussions
  1. Updated and Optimized Ubuntu Free Graphics Drivers
  2. Ubuntu 16.04 Might Be The Distribution's Last 32-Bit Release
  3. Linux hacker compares Solaris kernel code:
  4. HOPE: The Ease Of Python With The Speed Of C++
  5. Advertisements On Phoronix
  6. Users/Developers Threatening Fork Of Debian GNU/Linux
  7. AMD Releases UVD Video Decode Support For R600 GPUs
  8. Proof that strlcpy is un-needed