Open-Source Wikis

/

Linux

/

Subsystems

/

Certs

torvalds/linux

Certs

Purpose

certs/ is where the kernel keeps cryptographic certificates compiled into the kernel image: the platform key, module-signing keys, system trusted keys, and revocation/blacklist lists. These keys end up in the kernel's keyring and are used to verify modules, kexec images, BPF programs (in some configurations), and IMA appraisals.

Directory layout

certs/
├── Kconfig
├── Makefile
├── system_keyring.c             # The .builtin_trusted_keys keyring
├── revocation_certificates.S    # Embedded revocation list
├── extract-cert.c               # Build-time tool used by scripts/sign-file
├── default_x509.genkey          # Template for ad-hoc key generation
└── (build artifacts: signing_key.pem, …, NOT committed)

How it works

graph LR
    KCFG[".config: CONFIG_MODULE_SIG=y, CONFIG_SYSTEM_TRUSTED_KEYS=…"] --> CERTS[certs/Makefile]
    CERTS -->|embed PEM| BUILTIN[builtin_trusted_keys keyring]
    BUILTIN -->|verify| MOD[Kernel modules at load time]
    BUILTIN -->|verify| KEXEC[kexec_file_load with KEXEC_FILE_VERIFY_SIG]
    BUILTIN -->|verify| BPF[BPF programs in lockdown mode]
    BUILTIN -->|verify| IMA[IMA appraisal]

At build time, the kernel embeds:

  • Builtin trusted keys — public keys from CONFIG_SYSTEM_TRUSTED_KEYS=path/to/x509.pem. Loaded into .builtin_trusted_keys.
  • Module signing key — generated locally if CONFIG_MODULE_SIG_KEY= points at the default location and the key doesn't exist. Used by scripts/sign-file to sign every .ko.
  • Revocation listCONFIG_SYSTEM_REVOCATION_KEYS for revoked certs, in .system_blacklist_keyring.
  • Platform keys — populated at boot from EFI variables (db, dbx, MokListRT) on Secure Boot machines.

At load time, kernel/module/signing.c verifies a module against the trusted keyring before allowing it to run.

Module signing flow

  1. make modules_sign (or INSTALL_MOD_STRIP=1 make modules_install) signs .ko files using scripts/sign-file and the per-build private key.
  2. The kernel keeps the corresponding public key in .builtin_trusted_keys.
  3. At insmod/modprobe time, mod_verify_sig (in kernel/module/signing.c) extracts the appended PKCS#7 signature, verifies it, and then loads the module.

Integration points

  • kernel/module/: signing verification, revocation check.
  • kernel/kexec*.c: kexec_file_load verification.
  • security/integrity/ima/: appraisal against trusted keys.
  • security/keys/: the keyring framework that hosts these.
  • fs/efi* and drivers/firmware/efi/: import platform keys at boot.

Entry points for modification

  • New trusted-key source: extend system_keyring.c and add a Kconfig knob.
  • Custom CA: build with CONFIG_SYSTEM_TRUSTED_KEYS="/path/to/your/ca.pem".
  • Module signing changes: see Documentation/admin-guide/module-signing.rst and kernel/module/signing.c.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Certs – Linux wiki | Factory