Hi,
I recently needed to rebuild one kmp package to add some changes.
I did that and I have been using it without trouble.
However, when I try to load such module on a UEFI system with secure boon enabled I get:
modprobe: ERROR: could not insert '<module>': Operation not permitted
and dmesg shows:
Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
After some googling I found that I need to sign the module I build myself in order
to make it load on a kernel with lockdown.
I followed the instructions in:
https://documentation.suse.com/sbp/all/html/SBP-KMP-Manual/index.html
8.2 Signing Module Object Files (UEFI Secure Boot)
I created a key and certificate (8.2.1)
I signed my KMP rpm (8.2.2) using modsign-repackage
I installed the rpm: <name>-kmp-<flavor> together with <name>-ueficert
then I imported the certificate installed by <name>-ueficert using mokutil
mokutil --import /etc/uefi/certs/<file>.crt
After reboot I enrolled the new certificate.
Now the command:
mokutil --list-enrolled
shows two certificates: the 'openSUSE Secure Boot CA' and the one I have enrolled.
However when I try to load my (now signed) kernel module I still get:
Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
(but the command modsign-verify <module> gives: good signature)
Am I doing something wrong? Is the documentation I'm following outdated?
Is there a bug somewhere?
I don't think the problem is with the UEFI bios as I get the same results on real hardware
and in qemu.
Any help is appreciated.
Thanks.
Giacomo
I require access to OS/2 constantly. Can this noise be prevented from
littering logs?
[...] CIFS VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers
[...] CIFS VFS: Send error in QFSAttributeInfo = -95
--
Evolution as taught in public schools, like religion,
is based on faith, not on science.
Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!
Felix Miata *** http://fm.no-ip.com/
Am Dienstag, 3. November 2020, 12:46:49 CET schrieb Stephan Kulow:
> Am 03.11.20 um 09:42 schrieb Hans-Peter Jansen:
> > Hi,
> >
> > yesterday, I found myself digging in the guts of a kernel 5.9.3 build,
> > that
> > succeeded with TW and failed with 15.2. This is the second time, a build
> > failed due to stale symlink checking with Leaps (at least).
> >
> > Given, that all kernel related development is done on TW, this is rather
> > unfortunate. Therefore, I kindly ask to enable the symlink checks, that
> > are
> > enforced with Leaps, for TW as well.
> >
> > While such issues aren't a big deal, they're a PITA nevertheless.
>
> This has nothing to do with a 'development model', kernel-default.spec sets
> NO_BRP_STALE_LINK_ERROR=yes
This doesn't explain build differences between Leap and TW, does it?
Also, the first example is related to our kernel-firmware package, while the
latter affected kernel-source.
Cheers,
Pete
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org
Hi,
yesterday, I found myself digging in the guts of a kernel 5.9.3 build, that
succeeded with TW and failed with 15.2. This is the second time, a build
failed due to stale symlink checking with Leaps (at least).
Given, that all kernel related development is done on TW, this is rather
unfortunate. Therefore, I kindly ask to enable the symlink checks, that are
enforced with Leaps, for TW as well.
While such issues aren't a big deal, they're a PITA nevertheless.
Examples:
https://lkml.org/lkml/2020/9/8/303https://lkml.org/lkml/2020/11/2/1185
Cheers,
Pete
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org