Documentation/admin-guide/module-signing.rst

Source file repositories/reference/linux-study-clean/Documentation/admin-guide/module-signing.rst

File Facts

System
Linux kernel
Corpus path
Documentation/admin-guide/module-signing.rst
Extension
.rst
Size
11793 bytes
Lines
293
Domain
Support Tooling And Documentation
Bucket
Documentation
Inferred role
Support Tooling And Documentation: documentation
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

Kernel module signing facility
------------------------------

.. CONTENTS
..
.. - Overview.
.. - Configuring module signing.
.. - Generating signing keys.
.. - Public keys in the kernel.
.. - Manually signing modules.
.. - Signed modules and stripping.
.. - Loading signed modules.
.. - Non-valid signatures and unsigned modules.
.. - Administering/protecting the private key.


========
Overview
========

The kernel module signing facility cryptographically signs modules during
installation and then checks the signature upon loading the module.  This
allows increased kernel security by disallowing the loading of unsigned modules
or modules signed with an invalid key.  Module signing increases security by
making it harder to load a malicious module into the kernel.  The module
signature checking is done by the kernel so that it is not necessary to have
trusted userspace bits.

This facility uses X.509 ITU-T standard certificates to encode the public keys
involved.  The signatures are not themselves encoded in any industrial standard
type.  The built-in facility currently only supports the RSA, NIST P-384 ECDSA
and NIST FIPS-204 ML-DSA public key signing standards (though it is pluggable
and permits others to be used).  For RSA and ECDSA, the possible hash
algorithms that can be used are SHA-2 and SHA-3 of sizes 256, 384, and 512 (the
algorithm is selected by data in the signature); ML-DSA does its own hashing,
but is allowed to be used with a SHA512 hash for signed attributes.


==========================
Configuring module signing
==========================

The module signing facility is enabled by going to the
:menuselection:`Enable Loadable Module Support` section of
the kernel configuration and turning on::

	CONFIG_MODULE_SIG	"Module signature verification"

This has a number of options available:

 (1) :menuselection:`Require modules to be validly signed`
     (``CONFIG_MODULE_SIG_FORCE``)

     This specifies how the kernel should deal with a module that has a
     signature for which the key is not known or a module that is unsigned.

     If this is off (ie. "permissive"), then modules for which the key is not
     available and modules that are unsigned are permitted, but the kernel will
     be marked as being tainted, and the concerned modules will be marked as
     tainted, shown with the character 'E'.

     If this is on (ie. "restrictive"), only modules that have a valid
     signature that can be verified by a public key in the kernel's possession
     will be loaded.  All other modules will generate an error.

     Irrespective of the setting here, if the module has a signature block that
     cannot be parsed, it will be rejected out of hand.


 (2) :menuselection:`Automatically sign all modules`

Annotation

Implementation Notes