Configure Gentoo with Signed Kernel module

Introduction

This work is wased on Gentoo wiki, but for better security I prefer at the end of Kernel installation to delete the auto generated key.

Configuring module signature verification

Enable Module signature verification, Require modules to be validly signed and Automatically sign all modules; and last make sure to disable Compress modules on installation (otherwise initramfs can’t load compressed modules)

--- Enable loadable module support
[*]   Module signature verification
[*]     Require modules to be validly signed
[*]     Automatically sign all modules
      Which hash algorithm should modules be signed with? (Sign modules with SHA-512)  --->
[ ]   Compress modules on installation

Configure genkernel to delete the key

Create the postgen.d directory

# mkdir -p /etc/kernels/postgen.d

then, inside the postgen.d directory create the file 10-remove-certs.sh

# cd /etc/kernels/postgen.d/
# touch 10-remove-certs.sh
# chmod 0754 10-remove-certs.sh

now open the file 10-remove-certs.sh with your preferred editor and put this content

#!/usr/bin/env bash
#
KERNEL_SOURCE="/usr/src/linux"
CERT_DIR="certs"
FILES="signing_key.pem signing_key.x509 x509.genkey"
SHRED=`which shred`

for f in $FILES
do
    if [ -f ${KERNEL_SOURCE}/${CERT_DIR}/${f} ]; then
            echo "Remove ${KERNEL_SOURCE}/${CERT_DIR}/${f}"
            $SHRED -f -u ${KERNEL_SOURCE}/${CERT_DIR}/${f}
    fi
done

Building the kernel

Now we can run genkernel to build the new kernel

# genkernel --luks --lvm all

Configure grub and reboot

Finally, we can configure grub to use the new installed kernel and then reboot

# grub-mkconfig -o /boot/grub/grub.cfg
# shutdown -r now