[CentOS-devel] signing of openvswitch.ko with kernel signing key

On 15/01/2019 14:38, Karanbir Singh wrote:
> On 15/01/2019 14:27, Maheshwari, Shagun wrote:
>> Hi,
>>
>>   
>>
>> Latest CentOS kernel comes with openvswitch-2.0.0 drivers, but for an
>> application, I needed openvswitch-2.9.2. I am trying to get my
>> openvswitch.ko (from openvswitch-kmod-2.9.2-1.el7.centos.x86_64.rpm ) to
>> get signed by the kernel module signing key. To achieve this I included
>>   below line to my spec file:
>>
>>   
>>
>>    mv signing_key.x509.sign.debug signing_key.x509 \
>>
>>     %{modsign_cmd} ~/home/nupur/openvswitch/*.ko
>>
>>     %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVRA}.debug || exit 1 \
>>
>>    fi \
>>
>>      if [ "%{with_default}" -ne "0" ]; then \
>>
>>   
>>
>> But the build is failing. Please suggest , if it is feasible to achieve
>> this. Or is this the right thing to do to sign third-party module with
>> centos signing key.
>>
> 
> We dont/wont sign an external build with the kernel sign key ( once the
> trust path is established, we dont preserve it even )
> 
> regards
> 

As a workaround, you can generate your own signing key, sign your own 
module(s) with it, and they will work fine with secure boot once you 
have imported that signing key into your Machine Owner Key (MOK) list 
using mokutil.

Hope that helps