Is there an "easy" way to just sign all kernel modules in the /lib/modules directory ?
I'm getting an error about a module not being signed so not loading. CentOS 7.7 UEFI booting. (I cannot remove UEFI as hardware does not allow it).
Thanks,
Jerry
I'm getting an error about a module not being signed so not loading. CentOS 7.7 UEFI booting. (I cannot remove UEFI as hardware does not allow it).
You need to turn off secure booting - you can still boot using UEFI, but if secure booting is turned on the kernel doesn't allow unsigned modules.
P.
You need to turn off secure booting - you can still boot using UEFI, but if secure booting is turned on the kernel doesn't allow unsigned modules.
Thanks - so is that command line to run ? Config file to edit ?
I ran mokutil --disable-verification and rebooted I dont desire that MOK management screen to show - how do you get rid of that ?
After rebooting my module still does not load.
Jerry
On Mon, 16 Mar 2020 at 12:43, Jerry Geis jerry.geis@gmail.com wrote:
You need to turn off secure booting - you can still boot using UEFI, but if secure booting is turned on the kernel doesn't allow unsigned modules.
Thanks - so is that command line to run ? Config file to edit ?
secure boot is in your hardware UEFI/BIOS setup. Basically ring -1 or -2 on the hardware. Nothing in the OS can turn this on or off as that is the purpose of this control to make sure a virus can not fool the hardware into using bad kernel level code.
I ran mokutil --disable-verification and rebooted I dont desire that MOK management screen to show - how do you get rid of that ?
After rebooting my module still does not load.
Jerry _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Mon, 2020-03-16 at 12:42 -0400, Jerry Geis wrote:
You need to turn off secure booting - you can still boot using UEFI, but if secure booting is turned on the kernel doesn't allow unsigned modules.
Thanks - so is that command line to run ? Config file to edit ?
It's a BIOS setting.
P.
On 16/03/2020 16:42, Jerry Geis wrote:
You need to turn off secure booting - you can still boot using UEFI, but if secure booting is turned on the kernel doesn't allow unsigned modules.
Thanks - so is that command line to run ? Config file to edit ?
I ran mokutil --disable-verification and rebooted I dont desire that MOK management screen to show - how do you get rid of that ?
After rebooting my module still does not load.
Rather than disabling a security feature, why don't you generate a Secure Boot signing key and sign your module?
Please see the RHEL documentation here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
Elrepo has a guide here on how to import your Secure Boot signing key once you have signed your module:
http://elrepo.org/tiki/SecureBootKey
Phil
HI all- Thanks for the comments. However -I'm getting no where.
Let me start again.
My 'hardware" does not have the ability to turn off secure boot. Its an Intel NUC7C - not possible. SO instead of my generic "image" i have that I copy to physical disk (has all my install,setup etc... everything ready). I created a new UEFI disk that again has everything setup and ready. All works on teh image.
Then when I copy to the image and boot up - I noticed things are not quite right. This one module is one example. I think there are others I have not noticed yet.
So "how" can I create an image for UEFI that has everything setup - and then copy that image to a physical disk and expect everything to still be the same and working?
Thanks,
Jerry
Ok I tried signing a module... Did not work.
+ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj '/CN=dahdi Modules/' Generating a 2048 bit RSA private key ......................................+++ ..............................................................................+++ writing new private key to 'MOK.priv' ----- ++ uname -r ++ modinfo -n dahdi + /usr/src/kernels/3.10.0-1062.12.1.el7.x86_64/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/3.10.0-1062.12.1.el7.x86_64/dahdi/dahdi.ko
service dahdi restart Restarting dahdi (via systemctl): Job for dahdi.service failed because the control process exited with error code. See "systemctl status dahdi.service" and "journalctl -xe" for details. [FAILED]
Mar 16 16:20:12 dahdi[12787]: Loading DAHDI hardware modules: Mar 16 16:20:12 dahdi[12787]: modprobe: ERROR: could not insert 'dahdi': Required key not available Mar 16 16:20:12 kernel: Request for unknown module key 'dahdi Modules: 3e93f14b19188e27f6dbfaf5ad47474abb9606fc' err -11
Did I miss something ?
Jerry
On 16/03/2020 20:23, Jerry Geis wrote:
Ok I tried signing a module... Did not work.
- openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER
-out MOK.der -nodes -days 36500 -subj '/CN=dahdi Modules/' Generating a 2048 bit RSA private key ......................................+++ ..............................................................................+++ writing new private key to 'MOK.priv'
++ uname -r ++ modinfo -n dahdi
- /usr/src/kernels/3.10.0-1062.12.1.el7.x86_64/scripts/sign-file sha256
./MOK.priv ./MOK.der /lib/modules/3.10.0-1062.12.1.el7.x86_64/dahdi/dahdi.ko
service dahdi restart Restarting dahdi (via systemctl): Job for dahdi.service failed because the control process exited with error code. See "systemctl status dahdi.service" and "journalctl -xe" for details. [FAILED]
Mar 16 16:20:12 dahdi[12787]: Loading DAHDI hardware modules: Mar 16 16:20:12 dahdi[12787]: modprobe: ERROR: could not insert 'dahdi': Required key not available Mar 16 16:20:12 kernel: Request for unknown module key 'dahdi Modules: 3e93f14b19188e27f6dbfaf5ad47474abb9606fc' err -11
Did I miss something ?
Looks like you did not enroll your signing key in the MOK list as the kernel is telling you it can not find your key to verify the signing of the module?
Read the two links I posted earlier, and links therein. That is the best documentation that exists AFAIK.
Phil
Hi Phil,
Your correct. I missed a step about importing the key: mokutil --import MOK.der
So then I rebooted entered teh MOK, accepted all certs and rebooted and it loaded.
I only have one problem with this... many of my systems are remote. I "will not" be able to remotely enter the MOK and accept the certs etc... How do I get around this? Recall that my hardware (NUC7C) does not allow to disable UEFI. So I have to use UEFI.
Thanks for all the suggestions.
Jerry
On Mar 17, 2020, at 07:34, Jerry Geis jerry.geis@gmail.com wrote:
I only have one problem with this... many of my systems are remote. I "will not" be able to remotely enter the MOK and accept the certs etc... How do I get around this? Recall that my hardware (NUC7C) does not allow to disable UEFI. So I have to use UEFI.
This is the point of secure boot, a remote user can’t make it load malicious kernel modules.
-- Jonathan Billings
-
Jerry Geis -
Jonathan Billings -
Pete Biggs -
Phil Perry -
Stephen John Smoogen