-
Notifications
You must be signed in to change notification settings - Fork 11
sign kernel modules #3
Comments
Hello! Here is article on this topic: https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/ In short, module signature required when Secure Boot is enabled. At this moment linux-secureboot-kit doesn't sign DKMS modules, but I think it is also possible to add signing hook into DKMS post-install scripts or existing kernel post-install hooks. Recipe above uses machine owner keys (MOK) to sign modules, which enrolment requires additional reboot. Probably we don't need MOK keys and we are already good to go with our |
@Snawoot thanks a lot for a fast answer! |
@Snawoot btw, I can't enroll MOK keys in UEFI - tool simply don't starting up on boot. I tried reset to setup mode and clean UEFI keys, but UEFI print me that: |
@mrsmith0x00 Then try to sign with db.key and db.crt instead of MOK keys. I think it has to work. Please tell your results. |
Some docs on this subject suggest my guess is correct: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-kernel-modules-for-secure-boot.html#sect-sources-for-public-keys-used-to-authenticate-kernel-modules db keys are usable instead of MOK keys |
And since they are already installed in UEFI, you don't have to add them; you may sign modules with it right away. |
@mrsmith0x00 yeah, I think that this will work. But... I deleted my old |
No problem. Variables contain only certificates, so private key is lost and you have to reinstall from scratch: remove all keys from UEFI, remove SignedBoot menu entry from UEFI and run install again. |
@Snawoot done! Via: |
Thanks a lot for help! Now closed. |
Nice! Now I have shallow understanding how it should be automated and probably soon it'll be included into linux-secure-boot recipes. |
Short notice: automated signature for DKMS modules has been merged into master along with improved initramfs signature hooks. |
Hello!
How I should sign kernel modules (dkms) for loading and working properly?
At the moment I have:
dmesg:
Thanks in advance!
The text was updated successfully, but these errors were encountered: