From: Ben Mezger <su@seds.nl>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Kernel module signature now shown on modinfo
Date: Wed, 11 Apr 2018 17:39:30 -0300 [thread overview]
Message-ID: <CANLyGzZAR4NZmSnyYh3kciB8kZmHYAvPkx6X3vu3iSSt6X3WHA@mail.gmail.com> (raw)
Greetings,
I have enabled module signature verification on my kernel, and it does
seem to be enabled upon boot:
$ dmesg | grep -i 'x.*509'
[ 1.259988] Asymmetric key parser 'x509' registered
[ 1.811026] Loading compiled-in X.509 certificates
[ 1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
77e716fc52a6293567d953cd24a5977e55b41a5e'
and doing a cat /proc/keys seems to show the key enabled:
$ cat /proc/keys
...
37c67374 I------ 1 perm 1f030000 0 0 asymmetri Build time
autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
X509.rsa 55b41a5e []
...
However, if I do a modinfo to see the key on a module, it seems empty:
$modinfo ntfs
filename: /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
license: GPL
version: 2.1.32
description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
Altaparmakov and Tuxera Inc.
author: Anton Altaparmakov <anton@tuxera.com>
alias: fs-ntfs
srcversion: 0D7ACE93F603E9350827FB8
depends:
intree: Y
vermagic: 4.9.76-gentoo-r1 SMP mod_unload
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4
And hex dump does show me the digital signature appended at the end:
$ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
0004e8c0 e3 dd 54 9d 5e f1 1a 12 56 47 4e 54 91 b9 fa ce |..T.^...VGNT....|
0004e8d0 e6 01 db 37 eb 83 f3 77 10 f0 b5 f8 11 fd 4e 86 |...7...w......N.|
0004e8e0 6c 81 8a 61 c2 15 6d 5a 35 93 8b 33 c0 32 2f e4 |l..a..mZ5..3.2/.|
0004e8f0 8c 15 71 de c8 c5 39 58 cc e8 65 e1 be 36 e6 02 |..q...9X..e..6..|
0004e900 b0 75 b5 a2 73 d8 4d 22 e7 2f 53 1f 42 fb ee 58 |.u..s.M"./S.B..X|
0004e910 f2 65 44 13 26 30 7b 31 1c 58 12 5a f2 5d b1 45 |.eD.&0{1.X.Z.].E|
0004e920 3a f0 a5 79 74 f4 00 00 02 00 00 00 00 00 00 00 |:..yt...........|
0004e930 02 9e 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 |..~Module signat|
0004e940 75 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |ure appended~.|
0004e94e
My question is: why doesn't modinfo show me the key fingerprint?
--
Kind regards,
Met een vriendelijke groet,
Ben Mezger
https://seds.nl
PGP: C473 DDC9 D1B1 40AF 2051 1CF6 18C4 6052 1688 92F7
next reply other threads:[~2018-04-11 20:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-11 20:39 Ben Mezger [this message]
2018-04-12 21:47 ` [gentoo-user] Kernel module signature now shown on modinfo Dave Trombley
2018-04-13 18:32 ` Mick
2018-04-15 23:46 ` Ben Mezger
2018-04-13 15:13 ` Mick
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANLyGzZAR4NZmSnyYh3kciB8kZmHYAvPkx6X3vu3iSSt6X3WHA@mail.gmail.com \
--to=su@seds.nl \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox