module-signing.rst - OpenGrok cross reference for /linux-6.14.4/Documentation/admin-guide/module-signing.rst

Lines Matching +full:built +full:- +full:into
2 ------------------------------
6 .. - Overview.
7 .. - Configuring module signing.
8 .. - Generating signing keys.
9 .. - Public keys in the kernel.
10 .. - Manually signing modules.
11 .. - Signed modules and stripping.
12 .. - Loading signed modules.
13 .. - Non-valid signatures and unsigned modules.
14 .. - Administering/protecting the private key.
25 making it harder to load a malicious module into the kernel.  The module
29 This facility uses X.509 ITU-T standard certificates to encode the public keys
31 type.  The built-in facility currently only supports the RSA & NIST P-384 ECDSA
33 used).  The possible hash algorithms that can be used are SHA-2 and SHA-3 of
75 	scripts/sign-file
84 	``CONFIG_MODULE_SIG_SHA256``	:menuselection:`Sign modules with SHA-256`
85 	``CONFIG_MODULE_SIG_SHA384``	:menuselection:`Sign modules with SHA-384`
86 	``CONFIG_MODULE_SIG_SHA512``	:menuselection:`Sign modules with SHA-512`
87 	``CONFIG_MODULE_SIG_SHA3_256``	:menuselection:`Sign modules with SHA3-256`
88 	``CONFIG_MODULE_SIG_SHA3_384``	:menuselection:`Sign modules with SHA3-384`
89 	``CONFIG_MODULE_SIG_SHA3_512``	:menuselection:`Sign modules with SHA3-512`
92      The algorithm selected here will also be built into the kernel (rather
117      This option can be set to the filename of a PEM-encoded file containing
132 it can be deleted or stored securely.  The public key gets built into the
142 during the building of vmlinux (the public part of the key needs to be built
143 into vmlinux) using parameters in the::
151 P-384 keypair.
174 	openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
175 	   -config x509.genkey -outform PEM -out kernel_key.pem \
176 	   -keyout kernel_key.pem
192 	223c7853 I------     1 perm 1f030000     0     0 keyring   .builtin_trusted_keys: 1
193 …302d2d52 I------     1 perm 1f010000     0     0 asymmetri Fedora kernel signing key: d69a84e6bce3…
197 trusted certificates can be provided in a PEM-encoded file referenced by the
205 	keyctl padd asymmetric "" [.builtin_trusted_keys-ID] <[key-file]
220 To manually sign a module, use the scripts/sign-file tool available in
230 	scripts/sign-file sha512 kernel-signkey.priv \
231 		kernel-signkey.x509 module.ko
234 doesn't, you should make sure that hash algorithm is either built into the
265 Non-valid signatures and unsigned modules
288 sufficient to prevent loading a module into a different kernel.  Either