[Kernel] add genkey file for kernel key generation

Recent kernels signs their modules with an autogenerated key at compilation time, which is configured with a genkey file. If that file doesn’t exist, it will also be autogenerated.

dmesg | grep cert

shows basic certificate info, more details with sudo cat /proc/keys.

It just says “autogenerated kernel key” on Manjaro 4.19.

However, you can provide a genkey file with customised info.
The file should be put in $srcdir/certs/x509.genkey, it would look like this.

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = <Organisation>
CN = <Comment>
emailAddress = <email@add.ress>

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

My suggestion is to change the info in req_distinguished_name to something like “Manjaro”.
Low priority obviously :wink:

EDIT:
add link to kernel documentation:
https://www.kernel.org/doc/html/v4.19/admin-guide/module-signing.html

It is strongly recommended that you provide your own x509.genkey file.

6 Likes

Since I’m currently working on this for my custom kernel… has this already been considered for Manjaro?

I believe this could even be used to sign extramodules as described in the kernel documentation. I’m not quite there yet though.

1 Like

Yes, it can:

$ modinfo nvidia
filename:       /lib/modules/4.19.34-1-vd/extramodules/nvidia.ko.gz
alias:          char-major-195-*
version:        418.43
supported:      external
[...]
retpoline:      Y
name:           nvidia
vermagic:       4.19.34-1-vd SMP preempt mod_unload modversions 
sig_id:         PKCS#7
signer:         vd kernel key
sig_key:        64:[...]
sig_hashalgo:   sha512
signature:      54:[...]

Cool stuff :slight_smile:

In order to do that, you have to generate a key and use sign-file from the kernel source tree on the modules.

2 Likes