Ask Your Question

integrity check on kernel for security

asked 2017-10-22 12:17:01 -0500

MysticDoor gravatar image

Hi, I want check the integrity of some packages... for example the kernel-core. As I know the kernel /boot/vmlinuz-4.11.8-300.fc26.x86_64 is a part of kernel-core:

[root@mypc ~]# rpm -ql kernel-core|grep -i boot

then with the command rpm -V -v kernel-core I shoudl check the integrity of full kernel. But:

[root@mypc ~]# rpm -V -v kernel-core|grep -i boot
[root@mypc ~]#

Anyone could explain me why this ?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2017-10-22 12:45:10 -0500

villykruse gravatar image

updated 2017-10-23 00:30:35 -0500

For some reason, these files are marked as %ghost in the rpm .spec file, which means that rpm -V does not check these files. What you can do is:

rpm -ql --dump kernel-core | grep boot

Notice the long string of hexadecimal numbers in the fourth field. This is the sha256sum for each file. You can then compare that with the output of

sha256sum /boot/vmlinuz* /boot/config* /boot/*

The initramfs is almost always recreated after installation, and would therefore not match.

Why the files are %ghost I have no idea.


Actually, the real boot files are also found in

edit flag offensive delete link more

answered 2017-10-22 13:21:47 -0500

MysticDoor gravatar image

ok, it works... but there is a strange thing. I have download the original rpm kernel-core but when I extract the rpm with rpm2cpio package | cpio -idvm I cant find the kernel files... I mean all files that should be installed on /boot...

edit flag offensive delete link more



Interesting. It turns out that the boot files are also found here.


By the way, your answer should really have been a comment.

villykruse gravatar imagevillykruse ( 2017-10-23 00:10:28 -0500 )edit

wow! I am very surprised.. then that mean the files are copied from /lib/modules/blah to /boot.. Well the last question, how can I check the security of initramfs ? I mean IMHO that file is the perfect place where to hide a kernel rootkit or an evil module. Then to check the security I need of unpack it and check the hash of every module ?

MysticDoor gravatar imageMysticDoor ( 2017-10-23 15:40:26 -0500 )edit

That is where UEFI secure boot comes in and checks the bootloader, the kernel, and all kernel modules at boot time.

villykruse gravatar imagevillykruse ( 2017-10-24 00:54:19 -0500 )edit

Thank you very much! I learned a lot!

MysticDoor gravatar imageMysticDoor ( 2017-10-24 15:11:20 -0500 )edit

Question Tools

1 follower


Asked: 2017-10-22 12:17:01 -0500

Seen: 273 times

Last updated: Oct 23 '17