模块签名
在编译5.4内核是需要签名文件,查了好久,解决了,记录下:
环境是:
Redhat8.2
kvm 虚拟机
make menuconfig
配置签名文件是这俩个
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"
make -j
出现了
make[2]: *** No rule to make target needed by ‘certs/x509_certificate_list’. Stop
错误
根据签名说明:
执行了一下操作
创建文件
vim certs/x509.genkey
内容是
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
在certs目录下执行:
openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform PEM -out rhel.pem -keyout x509_certificate_list
编译不成功
采用第二种方法:
把这俩个文件注释掉
#CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
#CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"
进行
make -j
File name or PKCS#11 URI of module signing key (MODULE_SIG_KEY) [certs/signing_key.pem] (NEW)
Provide system-wide ring of trusted keys (SYSTEM_TRUSTED_KEYRING) [Y/?] y
Additional X.509 keys for default system keyring (SYSTEM_TRUSTED_KEYS) [] (NEW)
Reserve area for inserting a certificate without recompiling (SYSTEM_EXTRA_CERTIFICATE) [N/y/?] n
Provide a keyring to which extra trustable keys may be added (SECONDARY_TRUSTED_KEYRING) [N/y/?] n
Provide system-wide ring of blacklisted keys (SYSTEM_BLACKLIST_KEYRING) [Y/n/?] y
Hashes to be preloaded into the system blacklist keyring (SYSTEM_BLACKLIST_HASH_LIST) []
HOSTCC arch/x86/tools/relocs_32.o
HOSTCC arch/x86/tools/relocs_64.o
全部回车默认
编译的时候会自动生成
make modules_install
make install
reboot
重启即可
参考文章:
https://wiki.gentoo.org/wiki/Signed_kernel_module_support
https://dwaves.de/2017/06/30/fedora-redhat-centos7-centos8-compiling-the-latest-kernel-updated-2020-01/