Linux kernel模块内核签名问题解决方法
前提:有公匙和私匙
公匙:signing_key.x509
私匙:signing_key.priv // 新版版本kernel为signing_key.pem详见更新部分
使用内核自带工具
$ perl <kernel_path>/scripts/sign-file sha512 signing_key.priv signing_key.x509 <module>.ko
kernel_path填写内核根目录路径
module处填写模块名字
该命令会生成module.ko文件(若在当前路径下会将之前的文件覆盖)
验证签名是否成功
使用命令验证
$ hexdump -C <module>.ko | tail
未签名
00020a90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00020aa0 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................|
00020ab0 00 00 00 00 00 00 00 00 d8 10 01 00 00 00 00 00 |................|
00020ac0 b0 04 00 00 00 00 00 00 1f 00 00 00 2e 00 00 00 |................|
00020ad0 08 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 |................|
00020ae0 09 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 |................|
00020af0 00 00 00 00 00 00 00 00 88 15 01 00 00 00 00 00 |................|
00020b00 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00020b10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00020b20
签名成功
00020cf0 10 7c 4b 7d 54 62 ec f3 47 ec ce 2a 3a a0 c7 8a |.|K}Tb..G..*:...|
00020d00 36 b3 e3 34 34 5f 68 83 50 65 8e 3d 20 c2 99 c6 |6..44_h.Pe.= ...|
00020d10 e6 93 3c 25 42 6c b5 0e c3 26 a6 9c 7f 1f d9 f7 |..<%Bl...&......|
00020d20 1c 6c 2b e4 18 fc 4f 68 a3 9d 4c 0e db de 5e d1 |.l+...Oh..L...^.|
00020d30 be 2a 90 94 e8 06 b1 16 e7 6b 60 27 78 0e cf f2 |.*.......k`'x...|
00020d40 f9 9b d2 a0 f6 1e c8 e6 14 e8 24 50 97 32 89 8c |..........$P.2..|
00020d50 f3 be 96 f8 01 06 01 1e 14 00 00 00 00 00 02 02 |................|
00020d60 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 75 72 |~Module signatur|
00020d70 65 20 61 70 70 65 6e 64 65 64 7e 0a |e appended~.|
00020d7c
2018-9-8 更新
linux kernel 4.3.3及更高的版本使用如下命令签名
@$(KDIR)/scripts/sign-file sha512 $(PWD)/signing_key.pem $(PWD)/signing_key.x509 $(PWD)/hello.ko
老版本kernel使用(很本文之前讲的一样)
@perl $(KDIR)/scripts/sign-file sha512 $(PWD)/signing_key.priv $(PWD)/signing_key.x509 $(PWD)/hello.ko
新版本中原本perl脚本sign-file被改为可执行程序。
如果在新内核上使用老方式签名会出现下面的情况
Unrecognized character \ ; marked by <-- HERE after <-- HERE near column 1 at /usr/src/linux/scripts/sign-file line 1.
签名文件所在位置
老版本的签名文件 signing_key.priv 和 signing_key.x509
新版本的签名文件 signing_key.pem 和 signing_key.x509
签名文件的存放路径
$(android源码顶层目录)/out/target/product/xxxx/obj/kernel/msm-4.4/certs/