NTU
Apprentice
Joined: 17 Jul 2015
Posts: 187
|
 Posted: Wed Jun 24, 2020 6:07 am Post subject: [SOLVED] Lockdown kernel for the first time (questions) |
 |
|
Hi everyone,
I had a problem: No modules load when building a 5.4 LTS kernel with Lockdown enabled. dmesg shows:
| Code: | | Loading of module with unsupported crypto is rejected |
Solution:
After running `modinfo` on one of the modules installed, I noticed that it was signed using sha256. In my kernel config, I had CONFIG_CRYPTO_SHA256 disabled. By default, CONFIG_MODULE_SIG_KEY is set to "certs/signing_key.pem" which I think is a 4096-bit RSA key that gets autogenerated at compile time?
Even though I had selected the following options:
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA1=y
For the kernel modules to load with your build auto-generated key, at least by default, you have to enable CONFIG_CRYPTO_SHA256:
https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA256.html
I have a few questions for any crypto guys here.. Since MODULE_SIG_ALL and MODULE_SIG_SHA1 were enabled, how does SHA256 come into play, since LibreSSL does not support SHA256 encryption? Matter of fact, it will error out if you enable MODULE_SIG_SHA256 on a LibreSSL system.
MODULE_SIG_SHA1, OK.. SHA1 is a 160-bit hash.. SHA256 is 256-bits (what modinfo shows) and the RSA key by default is 4096-bits.. Huh? 3 different layers of encryption in difference places, and somewhere PKCS#7 falls into this?
Very noobish question, I'm just confused by what's happening with the kernel "signing a bunch of stuff."  |
|
Kernel & Hardware
