Skip to content

Instantly share code, notes, and snippets.

@feiyax

feiyax/kmod_validate.md

Last active April 15, 2024 16:39
Show Gist options
  • Save feiyax/4bdf90f96611a553ebe03c50ad304c63 to your computer and use it in GitHub Desktop.
Save feiyax/4bdf90f96611a553ebe03c50ad304c63 to your computer and use it in GitHub Desktop.
Download ZIP
Manually Validate Kernel Module Signature
Raw
kmod_validate.md

Pre-req

  • kernel module *.ko
  • signing key signing_key.pem (containing private key and certificate)
  • scripts dir in linux source. usually also in /usr/src/linux-headers-$(uname -r)/scripts/
  • don't have whitespace in path. (yeam i'm too lazy to type quotes)

Convert everything into desired formats

extract the signature part and the data content parts out of the *.ko

export PATH="${PATH}:/usr/src/linux-headers-$(uname -r)/scripts/" # just for accessing the tools
KMOD="/path/to/ko"
kmod_sig=/tmp/sig
kmod_data=/tmp/plain
extract-module-sig.pl -s "${KMOD}" > "${kmod_sig}"
extract-module-sig.pl -0 "${KMOD}" > "${kmod_data}"

convert signature to pkcs7 msg

openssl pkcs7 -inform der -in ${kmod_sig} -out ${kmod_sig}.pkcs7

convert signing key/cert pair to cert in pem

KEY="/path/to/signing_key.pem" // basically the value of CONFIG_MODULE_SIG_KEY
cert="/tmp/signing_key.cert"
openssl x509 -outform pem -in ${KEY} -out ${cert}

Validate

openssl smime -verify -binary -inform PEM \
  -in ${kmod_sig}.pkcs7 \
  -content ${kmod_data} \
  -certfile ${cert} \
  -nointern -noverify > /dev/null

??

Profit

Put all the commands together?

(Bashism warning: <() isn't POSIX)

KEY="signing_key.pem"
KMOD="my.ko"
ex="/usr/src/linux-headers-$(uname -r)/scripts/extract-module-sig.pl" 
openssl smime -verify -binary -inform PEM \
  -in <(openssl pkcs7 -inform der -in <(${ex} -s ${KMOD})) \
  -content <(${ex} -0 ${KMOD}) \
  -certfile <(openssl x509 -outform pem -in ${KEY}) \
  -nointern -noverify > /dev/null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment