由于目前bios支持efi,如果支持UEFI Secure Boot启动,那么内核所有模块都必须使用UEFI Secure key 签名.
查看当前系统key:
#keyctl list %:.system_keyring
如果系统没有开启UEFI Secure Boot,会类似如下输出:
3 keys in keyring: ...asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87... ...asymmetric: Red Hat Enterprise Linux kernel signing key: 4249689eefc77e95880b... ...asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b7...否则,类似输出:
6 keys in keyring: ...asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87... ...asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29... ...asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed... ...asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e... ...asymmetric: Red Hat Enterprise Linux kernel signing key: 4249689eefc77e95880b... ...asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b7...你也可以查看内核与UEFI Secure Boot(如 UEFI Secure Boot db, embedded shim, 以及 MOK list)相关的验证秘钥:
# dmesg | grep 'EFI: Loaded cert'
[5.160660] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a9290239...
[5.160674] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309b...
[5.165794] EFI: Loaded cert 'Red Hat Secure Boot (CA key 1): 4016841644ce3a8... 当然,如果你的bios支持关闭
UEFI Secure Boot,你可以在bios的boot项中关闭UEFI Secure Boot.
否则只能为自己制作一个.
相关工具情况:
| 命令 | 软件包 | 适用 | 功能 |
|---|---|---|---|
openssl | openssl | Build system | 生成X509公私秘钥对 |
sign-file | kernel-devel | Build system | 对内核模块使用X509公私秘钥对签名 |
perl | perl | Build system | 签名脚本 |
mokutil | mokutil | Target system | 手动注册公钥到系统 |
keyctl | keyutils | Target system | 手动取消注册公钥到系统 |
1. 生成配置文件:
# cat << EOF > configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = Organization
CN = Organization signing key
emailAddress = E-mail address
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF 2. 生成秘钥(一般把公私钥放在/usr/src/kernels/`uname -r`文件夹):
]# openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config configuration_file.config -outform DER -out public_key.der -keyout private_key.priv 3. 在目标系统注册方法:
1. 把生成的UEFI Secure Boot key数据植入到出厂镜像文件即bios中(基本不可能)
2. 把生成的UEFI Secure Boot key数据植入到efi镜像文件(不知道弄,如果哪位大侠知道,求告知)
3. 把公钥添加到 MOK lis,执行以下步骤:
# mokutil --import public_key.der 然后重启电脑,重启后会有一个验证密码的过程.
使用私钥注册模块:
直接编译
# make -C /usr/src/kernels/$(uname -r) M=$PWD modules 或者,编译好后加入到模块
cd /usr/src/kernels/`uname -r` && perl ./scripts/sign-file sha256 private_key.priv public_key.der $(mod_dir)/mod.ko
1707
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
