Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. If you'd want to keep Secure Boot and also run these modules, then the next logical step is to sign those modules.
So let's try it.
So let's try it.
- Create signing keys
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=descriptive name/" - Sign the module
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /path/to/module - Register the keys to Secure Boot
sudo mokutil --import MOK.der
Supply a password for later use after reboot - Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
Resources: Detailed website article for Fedora and Ubuntu implementation of module signing.
One addition for the security-conscious: the private key MOK.priv generated by openssl -nodes as above is not protected by a password. Thus in principle, a rogue program could use it to sign a compromised module or even taint the bootloader, as your signing key now sits in hardware storage as a trusted key. A more secure solution is to omit the -nodes option. In step 1 openssl will then ask for a password to protect the private key. Before step 2, when signing, set the KBUILD_SIGN_PIN environment variable to the password you specified in step 1.
No comments:
Post a Comment