http://bugzilla.opensuse.org/show_bug.cgi?id=1209006 Bug ID: 1209006 Summary: Document how to secureboot-sign manually built kernel modules on TW kernel >= 6.2.1 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: sndirsch@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Now that we added lockdown patches to our kernel with version 6.2.1 breaking nvidia driver packages it would be time to let our users/developers know how to secureboot-sign manually-built kernel modules (vmware, nvidia, etc.). You can see that there is a need in this mail thread on opensuse-factory ML. :-( https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/A... Documentation for vmware, that doesn't work for TW 6.2.1 kernels https://kb.vmware.com/s/article/2146460 (well, there is missing a -addext "extendedKeyUsage=codeSigning needed already for Leap kernels; so this seems to be outdated anyway) Things that are working for Leap >= 15.2 are: flavor=default privkey=$(mktemp /tmp/MOK.priv.XXXXXX) pubkeydir=/var/lib/nvidia-pubkeys pubkey=$pubkeydir/MOK-nvidia-driver-G06-525.89.02-7.1-$flavor.der # make sure creation of pubkey doesn't fail later test -d pubkeydir || mkdir -p $pubkeydir # Create a key pair (private key, public key) openssl req -new -x509 -newkey rsa:2048 \ -keyout $privkey \ -outform DER -out $pubkey -days 1000 \ -subj "/CN=Local build for nvidia-driver-G06 525.89.02 on $(date+"%Y-%m-%d")/" \ -addext "extendedKeyUsage=codeSigning" \ -nodes # Install the public key to MOK mokutil --import $pubkey --root-pw kver=6.2.1-1-default # Sign the Nvidia modules (weak-updates appears to be broken) for i in /lib/modules/$kver/updates/nvidia*.ko; do /lib/modules/$kver/build/scripts/sign-file sha256 $privkey $pubkey $i done # cleanup: private key no longer needed rm -f $privkey With the TW kernel this results in # dmesg -c > /dev/null # modprobe nvidia modprobe: ERROR: could not insert 'nvidia': Operation not permitted # dmesg [ 58.707747] lockdown_is_locked_down: 2 callbacks suppressed [ 58.707751] Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 # modinfo nvidia filename: /lib/modules/6.2.1-1-default/updates/nvidia.ko firmware: nvidia/525.89.02/gsp_tu10x.bin firmware: nvidia/525.89.02/gsp_ad10x.bin alias: char-major-195-* version: 525.89.02 [...] Takashi asked me to look into our kernel-install-tools. I had a quick look, but I need to say I don't understand them. 1) It works with one file /path/to/certificate for both private and public key? How is this possible? We want to remove private key right after signing but keep public key on the system. 2) There is only a tool (sbtool-sign-kernel) to sign the kernel image, not the kernel modules? Or how is this supposed to work? 3) Signing of modules in KMPs is apparently not being done by the tools in this package, so maybe these are not the right tools at all? -- You are receiving this mail because: You are on the CC list for the bug.