Signing modules with our own key in Leap 15.4
Hi, We are trying to sign the virtualbox modules for testing on machines with secure boot. I have s script that works for Tumbleweed using a private key, but when the modules try to load on Leap 15.4, the following is logged: [ 107.819531] PKCS7: sinfo 1: The signer 22450e37 key is not CodeSigning [ 107.819534] Loading of module with unavailable key is rejected Why does Leap 15.4 behave differently than Tumbleweed? Is there some setting I am missing? Is there a better way to sign these modules for our testing? Thanks, Larry
On 15.10.2022 04:39, Larry Finger wrote:
Hi,
We are trying to sign the virtualbox modules for testing on machines with secure boot. I have s script that works for Tumbleweed using a private key, but when the modules try to load on Leap 15.4, the following is logged:
[ 107.819531] PKCS7: sinfo 1: The signer 22450e37 key is not CodeSigning [ 107.819534] Loading of module with unavailable key is rejected
Why does Leap 15.4 behave differently than Tumbleweed?
Leap kernel has patches to enforce extended key usage codeSigning.
Is there some setting I am missing?
Is there a better way to sign these modules for our testing?
https://documentation.suse.com/sbp/all/single-html/SBP-KMP-Manual-SLE12SP2/i...
On Sat, Oct 15, 2022 at 08:22:01AM +0300, Andrei Borzenkov wrote:
On 15.10.2022 04:39, Larry Finger wrote:
Hi,
We are trying to sign the virtualbox modules for testing on machines with secure boot. I have s script that works for Tumbleweed using a private key, but when the modules try to load on Leap 15.4, the following is logged:
[ 107.819531] PKCS7: sinfo 1: The signer 22450e37 key is not CodeSigning [ 107.819534] Loading of module with unavailable key is rejected
Why does Leap 15.4 behave differently than Tumbleweed?
Leap kernel has patches to enforce extended key usage codeSigning.
You need to enroll your private key with shim. The KMP packaging scripts should do that for you when you build and install a KMP but you need to reboot and confirm the enrollment for it to take effect. See mokutil(1) Thanks Michal
participants (3)
-
Andrei Borzenkov -
Larry Finger -
Michal Suchánek