Skip to content

Instantly share code, notes, and snippets.

@fonic

fonic/sign_kernel_modules.sh

Last active July 15, 2020 18:00
Show Gist options
  • Save fonic/a8842f56289da24970979a80554d95ee to your computer and use it in GitHub Desktop.
Save fonic/a8842f56289da24970979a80554d95ee to your computer and use it in GitHub Desktop.
Download ZIP
Sign Linux kernel modules
Raw
sign_kernel_modules.sh
#!/usr/bin/env bash
# -------------------------------------------------------------------------------------------
# -
# Sign Linux kernel modules -
# -
# Created by Fonic <https://github.com/fonic> -
# Date: 07/13/20 - 07/15/20 -
# -
# Based on: -
# https://wiki.gentoo.org/wiki/NVIDIA/nvidia-drivers#Kernel_module_signing_.28optional.29 -
# -
# -------------------------------------------------------------------------------------------
# Configuration
KERNEL_BASEDIR="/usr/src"
KERNEL_CONFIG=".config"
MODULE_BASEDIR="/lib/modules"
SIGN_SCRIPT="scripts/sign-file"
SIGN_KEY="certs/signing_key.pem"
SIGN_CERT="certs/signing_key.x509"
SIGN_CFGITEM="CONFIG_MODULE_SIG_HASH"
# Check command line
if (( $# < 2 )); then
echo "Usage: $(basename "$0") ALGORITHM KERNEL..."
echo "Example: $(basename "$0") sha512 5.4.48-gentoo"
echo "Example: $(basename "$0") auto \"\$(uname -r)\""
exit 2
fi
arg_algo="$1"; shift
# Check if root
if (( ${EUID} != 0 )); then
echo -e "\e[1;31mOnly root can do this.\e[0m"
exit 1
fi
# Sign kernel modules
result=0
for kernel; do
echo -e "\e[1mSigning modules for kernel '${kernel#*linux-}'...\e[0m"
[[ "${kernel}" != linux-* ]] && kernel="linux-${kernel}"
krndir="${KERNEL_BASEDIR}/${kernel}"
moddir="${MODULE_BASEDIR}/${kernel#*linux-}"
sign_script="${krndir}/${SIGN_SCRIPT}"
sign_key="${krndir}/${SIGN_KEY}"
sign_cert="${krndir}/${SIGN_CERT}"
[[ ! -d "${krndir}" ]] && { echo -e "\e[1;33mKernel sources directory '${krndir}' does not exists, skipping kernel\e[0m"; result=1; continue; }
[[ ! -d "${moddir}" ]] && { echo -e "\e[1;33mModule directory '${moddir}' does not exists, skipping kernel\e[0m"; result=1; continue; }
[[ ! -x "${sign_script}" ]] && { echo -e "\e[1;33mSigning script '${sign_script}' does not exists or is not executable, skipping kernel\e[0m"; result=1; continue; }
[[ ! -f "${sign_key}" ]] && { echo -e "\e[1;33mSigning key '${sign_key}' does not exists, skipping kernel\e[0m"; result=1; continue; }
[[ ! -f "${sign_cert}" ]] && { echo -e "\e[1;33mSigning certificate '${sign_key}' does not exists, skipping kernel\e[0m"; result=1; continue; }
if [[ "${arg_algo}" == "auto" ]]; then
krncfg="${krndir}/${KERNEL_CONFIG}"
[[ ! -f "${krncfg}" ]] && { echo -e "\e[1;33mConfiguration '${krncfg}' does not exists, unable to auto-detect signing algorithm, skipping kernel\e[0m"; result=1; continue; }
sign_algo="$(grep "^${SIGN_CFGITEM}=" "${krncfg}" 2>/dev/null)" # CONFIG_MODULE_SIG_HASH="sha512"
sign_algo="${sign_algo#*=}" # CONFIG_MODULE_SIG_HASH="sha512" -> "sha512"
[[ "${sign_algo}" == \"*\" || "${sign_algo}" == \'*\' ]] && sign_algo="${sign_algo:1:-1}" # "sha512" -> sha512
[[ "${sign_algo}" == "" ]] && { echo -e "\e[1;33mFailed to auto-detect signing algorithm using configuration '${krncfg}', skipping kernel\e[0m"; result=1; continue; }
echo "Detected signing algorithm: ${sign_algo}"
else
sign_algo="${arg_algo}"
fi
readarray -t modules < <(find "${moddir}" -type f -name '*.ko')
(( ${#modules} == 0 )) && { echo -e "\e[1;33mNo modules found in module directory '${moddir}'\e[0m"; continue; }
for module in "${modules[@]}"; do
echo "Signing module '${module##*/}'..."
"${sign_script}" "${sign_algo}" "${sign_key}" "${sign_cert}" "${module}" || { echo -e "\e[1;33mFailed to sign module '${module}'\e[0m"; result=1; }
done
done
exit ${result}
@fonic
Copy link
Author

fonic commented Jul 13, 2020
edited
Loading

Related Gentoo Linux forum post:
https://forums.gentoo.org/viewtopic-p-8480264.html#8480264

NOTE:
Although this script was created with Gentoo Linux in mind, it should run perfectly fine on other Linux distributions as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment