Specify module signing key to use

An XCCDF Rule

Description

Setting this option to something other than its default of certs/signing_key.pem will disable the autogeneration of signing keys and allow the kernel modules to be signed with a key of your choosing. The string provided should identify a file containing both a private key and its corresponding X.509 certificate in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should reference both a certificate and a private key. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_KEY, run the following command: grep CONFIG_MODULE_SIG_KEY /boot/config-* For each kernel installed, a line with value "" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

A key and certificate is required to sign the built modules.

ID: xccdf_org.ssgproject.content_rule_kernel_config_module_sig_key
Severity: Medium
References: BP28(R18)
Updated: about 1 year ago