modsig: add support to sign kernel modules using ephemeral keys

Signed modules are only as secure as the private key used to sign
them.  This patch limits access to the private key by limiting the
private key's existence to 'modules_install'(ie. this is meant for
local developers, not distros.)

This patch defines a new kernel build command line parameter
called MODSIG (eg. make MODSIG=1 modules_install) and adds
support for ephemeral keys.

MODSIG=1 creates an ephemeral key pair during 'modules_install',
forcing the rebuilding of the bzImage containing the new ephemeral
builtin public key, signs the kernel modules with the private key,
and then destroys the private key, limiting the existance of the
private key to the 'modules_install' execution time.  (The private
key's existence could be further limited, if the key generation
wasn't tied to a specific file, but defined as a separate target.)

Another possible MODSIG option would be to password protect the
private key.  Although this option is not as safe as removing the
private key, it would not require rebuilding the bzImage, as the
key pair is generated during 'make'.

Changelog v1:
- rebased on the upsteamed kernel module support

Signed-off-by: Dmitry Kasatkin <>
Signed-off-by: Mimi Zohar <>
1 file changed