CentOS Kernel Compilation and its signature mechanism
The signing mechanism introduced by Linux kernel 3.7 greatly facilitates the security authentication of kernel modules, and also provides the technical means of IP protection for operating system manufacturers. However, there are pros and cons to everything. For engineers who have just contacted a kernel with a signature mechanism, a process that understands and adapts to the new kernel is needed. To this end, small series combined with their own work experience, summed up some points and share with you.
1. What is the kernel signing mechanism?
Kernel signature is the process that the kernel uses the public key to verify the driver module, the module that passes through is allowed to load, and the module that does not have the signature kernel driver module or the signature does not pass the inspection, according to different kernel option, prohibit or allow to load.
2. How do I use kernel signing?
Kernel signatures can be used in situations including but not limited to:
1. Driver modules that are tightly bound to a kernel or operating system vendor, including kernel driver modules that are limited to a specific version of the kernel;
2. Restricted or controlled drive modules, including those that cannot be changed by the operating system or the kernel, can only be generated if the public and private keys are known to be loaded.
3. What are the possible inconveniences of signature verification?
When the kernel is recompiled and the modules are two developed on the operating system using the signature check, the newly compiled kernel binaries or driver modules cannot be loaded directly without knowing the previous private key and public key generation algorithms.
4. How to avoid the possible impact?
Disables kernel signature verification, rebuilds corresponding Initramfs, modifies Bootmemu, reboots the system from its own newly added bootentry.
5. Practical examples
The following is an example of CENTOS7 (based on Linux kernel 3.10), which describes the specific steps:
1. Download the Centos.dvd or other file system image that is consistent with the current file system version from the official website;
2. Burn the image to the boot disk or open it with UltraISO and other startup disk making software, and find the corresponding kernel binary, confg configuration file (x86_64_config), Initramfs from its RPM warehouse;
3. According to the kernel binary version found above, go to the official website to download the corresponding kernel source code RPM or compressed files, unzip, the above-found configuration file copied over as. config. Of course, the default. config file can also come from the config file that comes with the/boot/of the system to be updated;
4. Makemenuconfig View the default configuration, focusing on the sign-related options, if:
The description does not use signature verification, you can directly modify the kernel driver or kernel and configuration files, create a new kernel live driver, or Makemodules_install or Makeinstall, the generated kernel or driver can replace the previous module directly.
Run Makemenuconfig, be sure to remove the forcemodule signchecking option, otherwise the generated kernel will only load the driver that matches the current public key, and it is difficult to guarantee the kernel binary public key, the public key in the Initramfs module, and the file system. Lib/modules the public key in the driver module is identical.
Run make
Specify the Kernelinstall path Install_mod_path
Makemodules_install
Use Dracut-k kernel.img $ (install_mod_path)/lib/modules/$ (kernelrelease) to generate and kernel matching INITRAMFS
Copy the Bzimage and Initramfs corresponding to the arch below to the/boot/.
Add boot Bzimage and Initramfs to/etc/grub.cfg and run the Grub2-mkconfig
Reboot, then select the kernelentry you just added in grub, enter the operating system, use and verify the new kernel and drivers.
This article is from the "Store Chef" blog, so be sure to keep this source http://xiamachao.blog.51cto.com/10580956/1763619
CentOS Kernel Compilation and its signature mechanism