Bug ID 1209006
Summary Document how to secureboot-sign manually built kernel modules on TW kernel >= 6.2.1
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Kernel
Assignee kernel-bugs@opensuse.org
Reporter sndirsch@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Now that we added lockdown patches to our kernel with version 6.2.1 breaking
nvidia driver packages it would be time to let our users/developers know how to
secureboot-sign manually-built kernel modules (vmware, nvidia, etc.). You can
see that there is a need in this mail thread on opensuse-factory ML. :-(

 
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/APEWGMWSEABQ5ZFGZ2I5M3MWJERZ4K7I/

Documentation for vmware, that doesn't work for TW 6.2.1 kernels

  https://kb.vmware.com/s/article/2146460
  (well, there is missing a -addext "extendedKeyUsage=codeSigning needed
already for Leap kernels; so this seems to be outdated
    anyway)

Things that are working for Leap >= 15.2 are:

 flavor=default
    privkey=$(mktemp /tmp/MOK.priv.XXXXXX)
    pubkeydir=/var/lib/nvidia-pubkeys
    pubkey=$pubkeydir/MOK-nvidia-driver-G06-525.89.02-7.1-$flavor.der

    # make sure creation of pubkey doesn't fail later
    test -d pubkeydir || mkdir -p $pubkeydir

    # Create a key pair (private key, public key)
    openssl req -new -x509 -newkey rsa:2048 \
                -keyout $privkey \
                -outform DER -out $pubkey -days 1000 \
                -subj "/CN=Local build for nvidia-driver-G06 525.89.02 on
$(date+"%Y-%m-%d")/" \
                -addext "extendedKeyUsage=codeSigning" \
                -nodes

    # Install the public key to MOK
    mokutil --import $pubkey --root-pw

    kver=6.2.1-1-default
    # Sign the Nvidia modules (weak-updates appears to be broken)
    for i in /lib/modules/$kver/updates/nvidia*.ko; do
      /lib/modules/$kver/build/scripts/sign-file sha256 $privkey $pubkey $i
    done

    # cleanup: private key no longer needed
    rm -f $privkey

With the TW kernel this results in

# dmesg -c > /dev/null
# modprobe nvidia
modprobe: ERROR: could not insert 'nvidia': Operation not permitted
# dmesg
[   58.707747] lockdown_is_locked_down: 2 callbacks suppressed
[   58.707751] Lockdown: modprobe: unsigned module loading is restricted; see
man kernel_lockdown.7
# modinfo nvidia
filename:       /lib/modules/6.2.1-1-default/updates/nvidia.ko
firmware:       nvidia/525.89.02/gsp_tu10x.bin
firmware:       nvidia/525.89.02/gsp_ad10x.bin
alias:          char-major-195-*
version:        525.89.02
[...]

Takashi asked me to look into our kernel-install-tools. I had a quick look, but
I need to say I don't understand them.

1) It works with one file /path/to/certificate for both private and public key?
How is this possible? We want to remove private key right
   after signing but keep public key on the system.
2) There is only a tool (sbtool-sign-kernel) to sign the kernel image, not the
kernel modules? Or how is this supposed to work?
3) Signing of modules in KMPs is apparently not being done by the tools in this
package, so maybe these are not the right tools at all?

You are receiving this mail because: