torvalds/linux
Certs
Purpose
certs/ is where the kernel keeps cryptographic certificates compiled into the kernel image: the platform key, module-signing keys, system trusted keys, and revocation/blacklist lists. These keys end up in the kernel's keyring and are used to verify modules, kexec images, BPF programs (in some configurations), and IMA appraisals.
Directory layout
certs/
├── Kconfig
├── Makefile
├── system_keyring.c # The .builtin_trusted_keys keyring
├── revocation_certificates.S # Embedded revocation list
├── extract-cert.c # Build-time tool used by scripts/sign-file
├── default_x509.genkey # Template for ad-hoc key generation
└── (build artifacts: signing_key.pem, …, NOT committed)How it works
graph LR
KCFG[".config: CONFIG_MODULE_SIG=y, CONFIG_SYSTEM_TRUSTED_KEYS=…"] --> CERTS[certs/Makefile]
CERTS -->|embed PEM| BUILTIN[builtin_trusted_keys keyring]
BUILTIN -->|verify| MOD[Kernel modules at load time]
BUILTIN -->|verify| KEXEC[kexec_file_load with KEXEC_FILE_VERIFY_SIG]
BUILTIN -->|verify| BPF[BPF programs in lockdown mode]
BUILTIN -->|verify| IMA[IMA appraisal]At build time, the kernel embeds:
- Builtin trusted keys — public keys from
CONFIG_SYSTEM_TRUSTED_KEYS=path/to/x509.pem. Loaded into.builtin_trusted_keys. - Module signing key — generated locally if
CONFIG_MODULE_SIG_KEY=points at the default location and the key doesn't exist. Used byscripts/sign-fileto sign every.ko. - Revocation list —
CONFIG_SYSTEM_REVOCATION_KEYSfor revoked certs, in.system_blacklist_keyring. - Platform keys — populated at boot from EFI variables (
db,dbx,MokListRT) on Secure Boot machines.
At load time, kernel/module/signing.c verifies a module against the trusted keyring before allowing it to run.
Module signing flow
make modules_sign(orINSTALL_MOD_STRIP=1 make modules_install) signs.kofiles usingscripts/sign-fileand the per-build private key.- The kernel keeps the corresponding public key in
.builtin_trusted_keys. - At
insmod/modprobetime,mod_verify_sig(inkernel/module/signing.c) extracts the appended PKCS#7 signature, verifies it, and then loads the module.
Integration points
- kernel/module/: signing verification, revocation check.
- kernel/kexec*.c:
kexec_file_loadverification. - security/integrity/ima/: appraisal against trusted keys.
- security/keys/: the keyring framework that hosts these.
- fs/efi* and drivers/firmware/efi/: import platform keys at boot.
Entry points for modification
- New trusted-key source: extend
system_keyring.cand add a Kconfig knob. - Custom CA: build with
CONFIG_SYSTEM_TRUSTED_KEYS="/path/to/your/ca.pem". - Module signing changes: see
Documentation/admin-guide/module-signing.rstandkernel/module/signing.c.
Related pages
- Crypto → Asymmetric keys — X.509/PKCS#7 parsing.
- Security → Keys / IMA / Lockdown — the consumers.
- Kernel core — the module loader.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.