kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp
sar -n DEV 1

wav音频文件格式

1
2
3
4
5
6
7
8

# mp3 转 wav
ffmpeg -i source.mp3 output.wav

# wav 转 mp3
ffmpeg -i source.wav output.mp3

# 从视频中提取音频
ffmpeg -i source.mp4 -vn output.wav

http://blog.csdn.net/mcgrady_tracy/article/details/52502263

http://blog.csdn.net/u013286409/article/details/47414273

wav是微软开发的一种音频文件格式,注意,wav文件格式是无损音频文件格式,相对于其他音频格式文件数据是没有经过压缩的,通常文件也相对比较大些。

文件格式如图所示:

解析代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

struct WAV_Format {
	uint32_t ChunkID; /* "RIFF" */
	uint32_t ChunkSize;   /* 36 + Subchunk2Size */
	uint32_t Format;  /* "WAVE" */

	/* sub-chunk "fmt" */
	uint32_t Subchunk1ID; /* "fmt " */
	uint32_t Subchunk1Size;   /* 16 for PCM */
	uint16_t AudioFormat; /* PCM = 1*/
	uint16_t NumChannels; /* Mono = 1, Stereo = 2, etc. */
	uint32_t SampleRate;  /* 8000, 44100, etc. */
	uint32_t ByteRate;    /* = SampleRate * NumChannels * BitsPerSample/8 */
	uint16_t BlockAlign;  /* = NumChannels * BitsPerSample/8 */
	uint16_t BitsPerSample;   /* 8bits, 16bits, etc. */
	// LIST 包含歌手歌名专辑等

	/* sub-chunk "data" */
	uint32_t Subchunk2ID;   /* "data" */
	uint32_t Subchunk2Size; /* data size */
};

int main(void)
{
	FILE *fp = NULL;
	struct WAV_Format wav;

	fp = fopen("test.wav", "rb");
	if (!fp) {
		printf("can't open audio file\n");
		exit(1);
	}

	fread(&wav, 1, sizeof(struct WAV_Format), fp);

	printf("ChunkID \t%x\n", wav.ChunkID);
	printf("ChunkSize \t%d\n", wav.ChunkSize);
	printf("Format \t\t%x\n", wav.Format);
	printf("Subchunk1ID \t%x\n", wav.Subchunk1ID);
	printf("Subchunk1Size \t%d\n", wav.Subchunk1Size);
	printf("AudioFormat \t%d\n", wav.AudioFormat);
	printf("NumChannels \t%d\n", wav.NumChannels);
	printf("SampleRate \t%d\n", wav.SampleRate);
	printf("ByteRate \t%d\n", wav.ByteRate);
	printf("BlockAlign \t%d\n", wav.BlockAlign);
	printf("BitsPerSample \t%d\n", wav.BitsPerSample);
	printf("Subchunk2ID \t%x\n", wav.Subchunk2ID);
	printf("Subchunk2Size \t%d\n", wav.Subchunk2Size);

	fclose(fp);

	return 0;
}

wav概述

WAV为微软公司(Microsoft)开发的一种声音文件格式,它符合RIFF(Resource Interchange File Format)文件规范,用于保存Windows平台的音频信息资源,被Windows平台及其应用程序所广泛支持,该格式也支持MSADPCM,CCITT A LAW等多种压缩运算法,支持多种音频数字,取样频率和声道,标准格式化的WAV文件和CD格式一样,也是44.1K的取样频率,16位量化数字,因此在声音文件质量和CD相差无几! WAV打开工具是WINDOWS的媒体播放器。

通常使用三个参数来表示声音,量化位数,取样频率和采样点振幅。量化位数分为8位,16位,24位三种,声道有单声道和立体声之分,单声道振幅数据为n1矩阵点,立体声为n2矩阵点,取样频率一般有11025Hz(11kHz) ,22050Hz(22kHz)和44100Hz(44kHz) 三种,不过尽管音质出色,但在压缩后的文件体积过大!相对其他音频格式而言是一个缺点,其文件大小的计算方式为:WAV格式文件所占容量(B) = (取样频率 X量化位数X 声道) X 时间 / 8 (字节= 8bit) 每一分钟WAV格式的音频文件的大小为10MB,其大小不随音量大小及清晰度的变化而变化。

RIFF文件

  1. 简介RIFF全称为资源互换文件格式(ResourcesInterchange FileFormat),RIFF文件是windows环境下大部分多媒体文件遵循的一种文件结构,RIFF文件所包含的数据类型由该文件的扩展名来标识,能以RIFF文件存储的数据包括:音频视频交错格式数据(.AVI) 波形格式数据(.WAV) 位图格式数据(.RDI) MIDI格式数据(.RMI)调色板格式(.PAL)多媒体电影(.RMN)动画光标(.ANI)其它RIFF文件(.BND)

  2. CHUNK chunk是组成RIFF文件的基本单元,它的基本结构如下:

1
2
3
4
5

struct chunk {
	u32 id;       /* 块标志 */
	u32 size; /* 块大小 */
	u8 dat[size]; /* 块内容 */
};

id 由4个ASCII字符组成,用以识别块中所包含的数据。如:'RIFF',‘LIST’,‘fmt’,‘data’,‘WAV’,‘AVI'等等,由于这种文件结构最初是由Microsoft和IBM为PC机所定义,RIFF文件是按照little-endian[2] 字节顺序写入的。

size(块大小) 是存储在data域中数据的长度,id与size域的大小则不包括在该值内。

dat(块内容) 中所包含的数据是以字(WORD)为单位排列的,如果该数据结构长度是奇数,则在最后添加一个空(NULL)字节。

chunk块中有且仅有两种类型块:'RIFF'和'LIST'类型可以包含其他块,而其它块仅能含有数据。

‘RIFF'和'LIST'类型的chunk结构如下

1
2
3
4
5
6
7

struct chunk {
	u32 id;       /* 块标志 */
	u32 size; /* 块大小 */
	/*此时的dat = type + restdat */
	u32 type; /* 类型 */
	u8 restdat[size]; /* dat中除type4个字节后剩余的数据*/
};

可以看出,'RIFF'和'LIST'也是chunk,只是它的dat由两部分组成type和restdat。

type,由4个ASCII字符组成,代表RIFF文件的类型,如'WAV',‘AVI ';或者'LIST'块的类型,如avi文件中的列表'hdrl’,‘movi'。

restdat,dat中除type4个字节后剩余的数据,包括块内容,包含若干chunk和'LIST'

2.1 FOURCC 一个FOURCC(fourcharacter code)是一个占4个字节的数据,一般表示4个ASCII字符。在RIFF文件格式中,FOURCC非常普遍,structchunk 中的id成员,'LIST',‘RIFF'的type成员,起始标识等信息都是用FOURCC表示的。FOURCC一般是四个字符,如'abcd'这样的形式,也可以三个字符包含一个空格,如'abc'这样的形式。

RIFF文件的FileData部分由若干个'LIST'和chunk组成,而'LIST'的ListData又可以由若干个'LIST'和chunk组成,即'LIST'是可以嵌套的。 ‘RIFF’,FileType,‘LIST’,ListType,ChunkID都是FOURCC,即使用4字节的ASIIC字符标识类型。

FileSize,ListSize,ChunkSize为little-endian32-bit正整数,表示Type(只有'RIFF',‘LIST'chunk有Type)+Data一起的大小,注意它是little-endian表示,如:0x00123456,存储地址由低到高,在little-endian系统中的存储表示为0x56341200(字节由低位到高位存储),而在big-endian为0x00123456(字节由高位到低位存储)。32bit整数0x00123456存储地址低———>;高little-endian(字节由低位到高位存储)56341200big-endian(字节由高位到低位存储)00123456

内核模块签名--详解

验证模块签名

kernel/module.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

SYSCALL_DEFINE3(init_module, void __user *, umod,
		unsigned long, len, const char __user *, uargs)
{
	int err; 
	struct load_info info = { }; 

	err = may_init_module();
	if (err)
		return err; 

	pr_debug("init_module: umod=%p, len=%lu, uargs=%p\n",
	       umod, len, uargs);

	err = copy_module_from_user(umod, len, &info);
	if (err)
		return err; 

	return load_module(&info, uargs, 0);
}
1
2
3
4
5
6
7
8
9
10
11
12
13

/* Allocate and load the module: note that size of section 0 is always
   zero, and we rely on this for optional sections. */
static int load_module(struct load_info *info, const char __user *uargs,
		       int flags)
{
	struct module *mod;
	struct module_ext *mod_ext;
	long err;

	err = module_sig_check(info);
	if (err)
		goto free_copy;
	...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

static int module_sig_check(struct load_info *info)
{
	int err = -ENOKEY;
	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
	const void *mod = info->hdr;

	# 模块最后是 MODULE_SIG_STRING 字符串
	if (info->len > markerlen &&
	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
		/* We truncate the module to discard the signature */
		info->len -= markerlen;
		err = mod_verify_sig(mod, &info->len); // 检验签名
	}

	if (!err) {
		info->sig_ok = true;
		return 0;
	}

	/* Not having a signature is only an error if we're strict. */
	if ((err == -ENOKEY && !sig_enforce) && (get_securelevel() <= 0))
		err = 0;

	return err;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

/*
 * Verify the signature on a module.
 */
int mod_verify_sig(const void *mod, unsigned long *_modlen)
{
	struct public_key_signature *pks;
	struct module_signature ms;
	struct key *key;
	const void *sig;
	size_t modlen = *_modlen, sig_len;
	int ret;

	pr_devel("==>%s(,%zu)\n", __func__, modlen);

	if (modlen <= sizeof(ms))
		return -EBADMSG;

	# 去除 MODULE_SIG_STRING 后,文件末尾是定义个字段长度的结构
	memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
	modlen -= sizeof(ms);

	# 签名长度
	sig_len = be32_to_cpu(ms.sig_len);
	if (sig_len >= modlen)
		return -EBADMSG;
	modlen -= sig_len;

	# 签名者长度,签名的标识ID长度,ID一般是一个20B的串
	if ((size_t)ms.signer_len + ms.key_id_len >= modlen)
		return -EBADMSG;
	modlen -= (size_t)ms.signer_len + ms.key_id_len;

	*_modlen = modlen;
	sig = mod + modlen;

	/* For the moment, only support RSA and X.509 identifiers */
	if (ms.algo != PKEY_ALGO_RSA ||
	    ms.id_type != PKEY_ID_X509)
		return -ENOPKG;

	if (ms.hash >= PKEY_HASH__LAST ||
	    !hash_algo_name[ms.hash])
		return -ENOPKG;

	# 查找 .system_keyring
	key = request_asymmetric_key(sig, ms.signer_len,
				     sig + ms.signer_len, ms.key_id_len);
	if (IS_ERR(key))
		return PTR_ERR(key);

	# 摘要
	pks = mod_make_digest(ms.hash, mod, modlen);
	if (IS_ERR(pks)) {
		ret = PTR_ERR(pks);
		goto error_put_key;
	}

	# hash算法的额外前缀
	ret = mod_extract_mpi_array(pks, sig + ms.signer_len + ms.key_id_len,
				    sig_len);
	if (ret < 0)
		goto error_free_pks;

	# 验证签名
	ret = verify_signature(key, pks);
	pr_devel("verify_signature() = %d\n", ret);

error_free_pks:
	mpi_free(pks->rsa.s);
	kfree(pks);
error_put_key:
	key_put(key);
	pr_devel("<==%s() = %d\n", __func__, ret);
	return ret;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

/*
 * Request an asymmetric key.
 */
static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
					  const u8 *key_id, size_t key_id_len)
{
	key_ref_t key;
	size_t i;
	char *id, *q;

	pr_devel("==>%s(,%zu,,%zu)\n", __func__, signer_len, key_id_len);

	/* Construct an identifier. */
	id = kmalloc(signer_len + 2 + key_id_len * 2 + 1, GFP_KERNEL);
	if (!id)
		return ERR_PTR(-ENOKEY);

	memcpy(id, signer, signer_len);

	q = id + signer_len;
	*q++ = ':';
	*q++ = ' ';
	for (i = 0; i < key_id_len; i++) {
		*q++ = hex_asc[*key_id >> 4];
		*q++ = hex_asc[*key_id++ & 0x0f];
	}

	*q = 0;

	pr_debug("Look up: \"%s\"\n", id);

#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
	key = keyring_search(make_key_ref(system_blacklist_keyring, 1),
				   &key_type_asymmetric, id);
	if (!IS_ERR(key)) {
		/* module is signed with a cert in the blacklist.  reject */
		pr_err("Module key '%s' is in blacklist\n", id);
		key_ref_put(key);
		kfree(id);
		return ERR_PTR(-EKEYREJECTED);
	}
#endif

	key = keyring_search(make_key_ref(system_trusted_keyring, 1),
			     &key_type_asymmetric, id);
	if (IS_ERR(key))
		pr_warn("Request for unknown module key '%s' err %ld\n",
			id, PTR_ERR(key));
	kfree(id);

	if (IS_ERR(key)) {
		switch (PTR_ERR(key)) {
			/* Hide some search errors */
		case -EACCES:
		case -ENOTDIR:
		case -EAGAIN:
			return ERR_PTR(-ENOKEY);
		default:
			return ERR_CAST(key);
		}
	}

	pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
	return key_ref_to_ptr(key);
}

内核密匙注册

kernel/system_keyring.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

#include <linux/export.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/cred.h>
#include <linux/err.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include "module-internal.h"

struct key *system_trusted_keyring;
EXPORT_SYMBOL_GPL(system_trusted_keyring);
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
struct key *system_blacklist_keyring;
#endif

extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size;

/*
 * Load the compiled-in keys
 */
static __init int system_trusted_keyring_init(void)
{
	pr_notice("Initialise system trusted keyring\n");

	system_trusted_keyring =
		keyring_alloc(".system_keyring",
			      KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
			      KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
			      KEY_ALLOC_NOT_IN_QUOTA, NULL);
	if (IS_ERR(system_trusted_keyring))
		panic("Can't allocate system trusted keyring\n");

	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);

#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
	system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
				    KUIDT_INIT(0), KGIDT_INIT(0),
				    current_cred(),
				    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
				    KEY_USR_VIEW | KEY_USR_READ,
				    KEY_ALLOC_NOT_IN_QUOTA, NULL);
	if (IS_ERR(system_blacklist_keyring))
		panic("Can't allocate system blacklist keyring\n");

	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
#endif

	return 0;
}

/*
 * Must be initialised before we try and load the keys into the keyring.
 */
device_initcall(system_trusted_keyring_init);

/*
 * Load the compiled-in list of X.509 certificates.
 */
static __init int load_system_certificate_list(void)
{
	key_ref_t key;
	const u8 *p, *end;
	size_t plen;

	pr_notice("Loading compiled-in X.509 certificates\n");

	p = system_certificate_list;
	end = p + system_certificate_list_size;
	while (p < end) {
		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
		 * than 256 bytes in size.
		 */
		if (end - p < 4)
			goto dodgy_cert;
		if (p[0] != 0x30 &&
		    p[1] != 0x82)
			goto dodgy_cert;
		plen = (p[2] << 8) | p[3];
		plen += 4;
		if (plen > end - p)
			goto dodgy_cert;

		key = key_create_or_update(make_key_ref(system_trusted_keyring, 1),
					   "asymmetric",
					   NULL,
					   p,
					   plen,
					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
					   KEY_USR_VIEW | KEY_USR_READ),
					   KEY_ALLOC_NOT_IN_QUOTA |
					   KEY_ALLOC_TRUSTED);
		if (IS_ERR(key)) {
			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
			       PTR_ERR(key));
		} else {
			set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags);
			pr_notice("Loaded X.509 cert '%s'\n",
				  key_ref_to_ptr(key)->description);
			key_ref_put(key);
		}
		p += plen;
	}

	return 0;

dodgy_cert:
	pr_err("Problem parsing in-kernel X.509 certificate list\n");
	return 0;
}
late_initcall(load_system_certificate_list);

内核信任密匙是在编译的时候收集到的。收集 *.x509

kernel/Makefile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
...
...

###############################################################################
#
# Roll all the X.509 certificates that we can find together and pull them into
# the kernel so that they get loaded into the system trusted keyring during
# boot.
#
# We look in the source root and the build root for all files whose name ends
# in ".x509".  Unfortunately, this will generate duplicate filenames, so we
# have make canonicalise the pathnames and then sort them to discard the
# duplicates.
#
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
X509_CERTIFICATES := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
			$(or $(realpath $(CERT)),$(CERT))))

X509_TOOL_CERTIFICATES := $(wildcard $(srctree)/tool_certs/*.pub)

ifeq ($(X509_CERTIFICATES),)
$(warning *** No X.509 certificates found ***)
endif

ifneq ($(wildcard $(obj)/.x509.list),)
ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
$(info X.509 certificate list changed)
$(shell rm $(obj)/.x509.list)
endif
endif

ifneq ($(wildcard $(obj)/.tool_x509.list),)
ifneq ($(shell cat $(obj)/.tool_x509.list),$(X509_TOOL_CERTIFICATES))
$(info X.509 tool_certificate list changed)
$(shell rm $(obj)/.tool_x509.list)
endif
endif

kernel/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_tool_certificate_list

quiet_cmd_x509certs  = CERTS   $@  
	cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; echo "  - Including cert $(X509)")
quiet_cmd_tool_x509certs  = CERTS   $@  
	cmd_tool_x509certs  = cat $(X509_TOOL_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_TOOL_CERTIFICATES),; echo "  - Including cert $(X509)")

targets += $(obj)/x509_certificate_list
$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
	$(call if_changed,x509certs)

kernel/system_certificates.S

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

#include <linux/export.h>
#include <linux/init.h>

	__INITRODATA

	.align 8
	.globl VMLINUX_SYMBOL(system_certificate_list)
VMLINUX_SYMBOL(system_certificate_list):
__cert_list_start:
#ifdef CONFIG_MODULE_SIG
#ifdef CONFIG_MODULE_SIG_FORCE
	.incbin "kernel/x509_certificate_list"
#endif
#endif
__cert_list_end:

	.align 8
	.globl VMLINUX_SYMBOL(system_certificate_list_size)
VMLINUX_SYMBOL(system_certificate_list_size):
#ifdef CONFIG_64BIT
	.quad __cert_list_end - __cert_list_start
#else
	.long __cert_list_end - __cert_list_start
#endif

	.align 8
	.globl VMLINUX_SYMBOL(tool_certificate_list)
VMLINUX_SYMBOL(tool_certificate_list):
__tool_cert_list_start:
#ifdef CONFIG_MODULE_SIG
#ifdef CONFIG_MODULE_SIG_FORCE
	.incbin "kernel/x509_tool_certificate_list"
#endif
#endif
__tool_cert_list_end:

	.align 8
	.globl VMLINUX_SYMBOL(tool_certificate_list_size)
VMLINUX_SYMBOL(tool_certificate_list_size):
#ifdef CONFIG_64BIT
	.quad __tool_cert_list_end - __tool_cert_list_start
#else
	.long __tool_cert_list_end - __tool_cert_list_start
#endif

往内核插入自己密匙

kernel/system_keyring.c copy出来独立模块,将自己公匙导入系统

内核模块签名--命令行

依据 scripts/sign-file, 命令行签名模块及验证签名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# 生成签名,密匙MOK_private.perm; 证书MOK.crt; DER格式证书MOK.der
openssl req -newkey rsa:4096 -nodes -keyout MOK_private.perm -new -x509 -sha512 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt
openssl req -newkey rsa:4096 -nodes -keyout MOK_private.perm -new -x509 -sha512 -days 3650 -subj "/CN=test.com/" -out MOK.crt
openssl x509 -outform DER -in MOK.crt -out MOK.der

# pem 转 crt
openssl x509 -in MOK.pem -out MOK.crt

# 从密匙、证书提取公匙
openssl rsa -in MOK_private.perm -pubout -out MOK_pub.perm
openssl x509 -pubkey -in MOK.crt > MOK_pub.perm


# 从ko中提取摘要
openssl dgst -sha512 -binary test.ko.tmp > test.ko.sha512

# 依据 scripts/sign-file, 需要在摘要前加些东西再做签名
./a.out > test.ko.dgst
cat test.ko.sha512 >> test.ko.dgst

# 对摘要签名
openssl rsautl -sign -in test.ko.dgst -out test.ko.sig -inkey MOK_private.key

# 解密签名得到摘要
openssl rsautl -verify -inkey MOK.crt -certin -in test.ko.sig -o test.ko.verify1
openssl rsautl -verify -inkey MOK_pub.key -pubin -in test.ko.sig -o test.ko.verify2
diff test.ko.verify1 test.ko.dgst

# 直接用公匙验证签名
openssl dgst -sha512 -verify MOK_pub.key -signature test.ko.sig test.ko.tmp

a.c

1
2
3
4
5
6
7
8
9
10
11
12

#include <stdio.h>
int main()
{
	int i;
	char a[] = {    0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
			0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
			0x05, 0x00, 0x04, 0x40};

	for (i = 0; i < 19; i ++)
		printf("%c", a[i]);
	return 0;
}

scripts/sign-file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

不同算法需要在摘要前加下面内容
315 #
316 # Digest the data
317 #
318 my $prologue;
319 if ($dgst eq "sha1") {
320     $prologue = pack("C*",
321                      0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
322                      0x2B, 0x0E, 0x03, 0x02, 0x1A,
323                      0x05, 0x00, 0x04, 0x14);
324     $hash = 2;
325 } elsif ($dgst eq "sha224") {
326     $prologue = pack("C*",
327                      0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
328                      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
329                      0x05, 0x00, 0x04, 0x1C);
330     $hash = 7;
331 } elsif ($dgst eq "sha256") {
332     $prologue = pack("C*",
333                      0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
334                      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
335                      0x05, 0x00, 0x04, 0x20);
336     $hash = 4;
337 } elsif ($dgst eq "sha384") {
338     $prologue = pack("C*",
339                      0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
340                      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
341                      0x05, 0x00, 0x04, 0x30);
342     $hash = 5;
343 } elsif ($dgst eq "sha512") {
344     $prologue = pack("C*",
345                      0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
346                      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
347                      0x05, 0x00, 0x04, 0x40);
348     $hash = 6;
349 } else {
350     die "Unknown hash algorithm: $dgst\n";
351 }
352
353 my $signature;
354 if ($signature_file) {
355         $signature = read_file($signature_file);
356 } else {
357         #
358         # Generate the digest and read from openssl's stdout
359         #
360         my $digest;  # 先算摘要
361         $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
362 
363         #
364         # Generate the binary signature, which will be just the integer that
365         # comprises the signature with no metadata attached.
366         #
367         my $pid;     # 签名命令,签名的输入372行
368         $pid = open2(*read_from, *write_to,
369                      "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
370             die "openssl rsautl";
371         binmode write_to; # 签名的输入是 $prologue . $digest
372         print write_to $prologue . $digest || die "pipe to openssl rsautl";
373         close(write_to) || die "pipe to openssl rsautl";
374 
375         binmode read_from;
376         read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
377         close(read_from) || die "pipe from openssl rsautl";
378         waitpid($pid, 0) || die;
379         die "openssl rsautl died: $?" if ($? >> 8);
380 }
381 $signature = pack("n", length($signature)) . $signature,
382

https://www.jianshu.com/p/215eee5dbb05

整篇文章经由对Signing Kernel Moudles For Security Boot实践整理而成。如果能看懂原版的话,建议看该网页

在我们安装一个自己编译的模块包后,需要modprobe xx 然而,可能出现required key not available这样的提示。

这是由于采用EFI的Linux系统限制只有通过签名的模块才能加载运行。如果你是安装自己编译的模块,就需要自己签名了。

1.需要安装依赖的工具:

1
2
3
4
5

sudo yum install openssl
sudo yum install kernel-devel
sudo yum install perl
sudo yum install mokutil
sudo yum install keyutils

2.对于System Key Rings的解释:

咱们的X.509 Keys放在哪儿呢?请看下表

1
2
3
4

Source of X.509 Keys     User Ability to Add Keys    Keys Loaded During Boot
UEFI Secure Boot "db"     Limited             .system_keyring
UEFI Secure Boot "dbx"        Limited             .system_keyring
Machine Owner Key (MOK) list  Yes             .system_keyring

密钥要经过系统验证,也就是说咱们的一对密钥中的公钥要加载进MOK中

3.检查自己是否是EFI

1

sudo keyctl list %:.system_keyring

你看到的就是MOK list

如果是EFI,你可以看到包含 EFI 字样的keyring。咱们在安装过程中,也要把自己的keyring也加到里面去。

4.生成自己的密钥对

生成密钥配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

sudo cat << EOF > configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = <你的签名key的名字>
emailAddress = <你的E-mail>

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

你的名字和E-mail地址这些东西是为了标识你的签名密钥,毕竟是自己做的作品嘛。你还可以在 [req_distinguished_name] 部分添加更多信息,也可以删减。

生成密钥

1
2
3
4

sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \
	-batch -config configuration_file.config -outform DER \
	-out public_key.der                   \  
	-keyout private_key.priv

5.登记你的公钥

公钥要登记在MOK list里

Centos7、RedHat EL7系系统,可以使用mokutil

1

sudo mokutil --import my_signing_key_pub.der

这时系统会要你为MOK登记设置一个密码

设置完密码后,重启:

1

sudo reboot

重启过程中会进入EFI的确认界面,输入刚刚设置的密码,一直确认就行

重启后,输入

1

sudo keyctl list %:.system_keyring

你会发现MOK list比以前多了一项,也就是你的签名

6.给你的模块签名

这里我结合我自己给wl模块签名的实例

这里 我的wl模块 来源于我安装了一个叫wl-kmod的包,这是无线网卡驱动,为了找到模块位置,我先输入:

1

rpm -ql kmod-wl

找到了wl.ko的位置在/lib/modules/3.10.0-514.10.2.el7.x86_64/extra/wl/wl.ko

如果能给安装包直接签名貌似更好,但是我是已经安装完才进行补救的

那么就是给wl.ko签名啦:

1
2
3
4
5

sudo perl /usr/src/kernels/$(uname -r)/scripts/sign-file \
	sha256 \
	/home/feyan/feyan_signing_key_pub.der\     #公钥文件(位置和名称视具体情况)
	/home/fayan/feyan_signing_key.priv\        #私钥文件(位置和名称视具体情况)
	/lib/modules/3.10.0-514.10.2.el7.x86_64/extra/wl/wl.ko   #模块文件

签名成功后,输入

1

sudo modprobe wl

载入模块没有问题,说明我的签名成功了