https://blog.csdn.net/BlueSy2008/article/details/79372962
https://blog.csdn.net/daoshuti/article/details/72846497
Building the kernel with proper keys
user $ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.priv
Manually signing modules
If you ever need to manually sign a kernel module, you can use the scripts/sign-file script available in the Linux kernel source tree. It requires four arguments:
- The hash algorithm to use, such as sha512
- The private key location
- The certificate (which includes the public key) location
- The kernel module to sign
In this case, the key pair does not need to be named signing_file.priv and such, nor do they need to be in the root of the Linux kernel source tree location.
user $ perl /usr/src/linux/scripts/sign-file sha512 /mnt/sdcard/kernel-signkey.priv /mnt/sdcard/kernel-signkey.x509 vxlan.ko
Validating module signature support
user $ hexdump -C vxlan.ko | tail
00008880 cf 0e e7 cb 10 9e 98 5f 4b 21 d4 03 ba 3d 7e e7 |......._K!...=~.|
00008890 68 db f9 e3 5f 62 3c c7 d6 6c 84 c7 d6 68 c1 73 |h..._b<..l...h.s|
000088a0 3d d7 5a 38 66 99 12 b8 84 c9 84 45 dd 68 6d 17 |=.Z8f......E.hm.|
000088b0 03 24 dc 9c 6f 6d 11 01 e9 74 82 ea b5 5b 46 07 |.$..om...t...[F.|
000088c0 fe dd 66 97 1a 33 58 3d 6e d0 ac 03 08 16 73 06 |..f..3X=n.....s.|
000088d0 9f 90 c4 eb b3 82 1d 9f 48 8c 5b 51 01 06 01 1e |........H.[Q....|
000088e0 14 00 00 00 00 00 02 02 7e 4d 6f 64 75 6c 65 20 |........~Module |
000088f0 73 69 67 6e 61 74 75 72 65 20 61 70 70 65 6e 64 |signature append|
00008900 65 64 7e 0a |ed~.|
00008904
To remove the signature, we can use the strip command:
root # strip –strip-debug vxlan.ko
root # hexdump -C vxlan.ko | tail
root # hexdump -C vxlan.ko | tail