CentOS Kernel Compilation and its signature mechanism

Source: Internet
Author: User

CentOS Kernel Compilation and its signature mechanism



The signing mechanism introduced by Linux kernel 3.7 greatly facilitates the security authentication of kernel modules, and also provides the technical means of IP protection for operating system manufacturers. However, there are pros and cons to everything. For engineers who have just contacted a kernel with a signature mechanism, a process that understands and adapts to the new kernel is needed. To this end, small series combined with their own work experience, summed up some points and share with you.


1. What is the kernel signing mechanism?


Kernel signature is the process that the kernel uses the public key to verify the driver module, the module that passes through is allowed to load, and the module that does not have the signature kernel driver module or the signature does not pass the inspection, according to different kernel option, prohibit or allow to load.


2. How do I use kernel signing?


Kernel signatures can be used in situations including but not limited to:

1. Driver modules that are tightly bound to a kernel or operating system vendor, including kernel driver modules that are limited to a specific version of the kernel;

2. Restricted or controlled drive modules, including those that cannot be changed by the operating system or the kernel, can only be generated if the public and private keys are known to be loaded.


3. What are the possible inconveniences of signature verification?


When the kernel is recompiled and the modules are two developed on the operating system using the signature check, the newly compiled kernel binaries or driver modules cannot be loaded directly without knowing the previous private key and public key generation algorithms.


4. How to avoid the possible impact?


Disables kernel signature verification, rebuilds corresponding Initramfs, modifies Bootmemu, reboots the system from its own newly added bootentry.


5. Practical examples


The following is an example of CENTOS7 (based on Linux kernel 3.10), which describes the specific steps:


1. Download the Centos.dvd or other file system image that is consistent with the current file system version from the official website;


2. Burn the image to the boot disk or open it with UltraISO and other startup disk making software, and find the corresponding kernel binary, confg configuration file (x86_64_config), Initramfs from its RPM warehouse;


3. According to the kernel binary version found above, go to the official website to download the corresponding kernel source code RPM or compressed files, unzip, the above-found configuration file copied over as. config. Of course, the default. config file can also come from the config file that comes with the/boot/of the system to be updated;


4. Makemenuconfig View the default configuration, focusing on the sign-related options, if:

    • The kernel configuration file does not use the signing mechanism, and all signchecking option is switched off:

The description does not use signature verification, you can directly modify the kernel driver or kernel and configuration files, create a new kernel live driver, or Makemodules_install or Makeinstall, the generated kernel or driver can replace the previous module directly.

    • The kernel is already using kernel signature verification, so you need to refer to the following steps to make a bootable kernel or driver:

    1. Run Makemenuconfig, be sure to remove the forcemodule signchecking option, otherwise the generated kernel will only load the driver that matches the current public key, and it is difficult to guarantee the kernel binary public key, the public key in the Initramfs module, and the file system. Lib/modules the public key in the driver module is identical.

    2. Run make

    3. Specify the Kernelinstall path Install_mod_path

    4. Makemodules_install

    5. Use Dracut-k kernel.img $ (install_mod_path)/lib/modules/$ (kernelrelease) to generate and kernel matching INITRAMFS

    6. Copy the Bzimage and Initramfs corresponding to the arch below to the/boot/.

    7. Add boot Bzimage and Initramfs to/etc/grub.cfg and run the Grub2-mkconfig

    8. Reboot, then select the kernelentry you just added in grub, enter the operating system, use and verify the new kernel and drivers.



This article is from the "Store Chef" blog, so be sure to keep this source http://xiamachao.blog.51cto.com/10580956/1763619

CentOS Kernel Compilation and its signature mechanism

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.