Hi Takashi, On Sat, Nov 28, 2020 at 09:32:27AM +0100, Takashi Iwai wrote:
On Fri, 27 Nov 2020 21:06:44 +0100, Giacomo Comes wrote:
On Fri, Nov 27, 2020 at 03:41:58PM +0100, Takashi Iwai wrote:
On Fri, 27 Nov 2020 15:18:16 +0100, Giacomo Comes wrote:
Hi, I recently needed to rebuild one kmp package to add some changes. I did that and I have been using it without trouble.
However, when I try to load such module on a UEFI system with secure boon enabled I get: modprobe: ERROR: could not insert '<module>': Operation not permitted and dmesg shows: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 After some googling I found that I need to sign the module I build myself in order to make it load on a kernel with lockdown. I followed the instructions in: https://documentation.suse.com/sbp/all/html/SBP-KMP-Manual/index.html 8.2 Signing Module Object Files (UEFI Secure Boot) I created a key and certificate (8.2.1) I signed my KMP rpm (8.2.2) using modsign-repackage I installed the rpm: <name>-kmp-<flavor> together with <name>-ueficert then I imported the certificate installed by <name>-ueficert using mokutil mokutil --import /etc/uefi/certs/<file>.crt After reboot I enrolled the new certificate. Now the command: mokutil --list-enrolled shows two certificates: the 'openSUSE Secure Boot CA' and the one I have enrolled. However when I try to load my (now signed) kernel module I still get: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 (but the command modsign-verify <module> gives: good signature)
Am I doing something wrong? Is the documentation I'm following outdated? Is there a bug somewhere? I don't think the problem is with the UEFI bios as I get the same results on real hardware and in qemu. Any help is appreciated.
Which kernel are you trying? Is it with the latest Leap 15.2 or SLE15-SP2? If yes, it might be due to the recently added the codesign check. In short, the key has to be generated with an openssl option -addext "extendedKeyUsage=codeSigning"
You can look at a bugzilla entry below, for example: https://bugzilla.suse.com/show_bug.cgi?id=1178793
Thanks, that helped. In the end the recent change in the opensuse kernel made the documentation I was following inaccurete. When creating key and certificate (step 8.2.1) it is necessary now to add the option '-addext "extendedKeyUsage=codeSigning"' to the openssl command.
I did that and now my signed module is loading.
Good to hear.
Joey, we need to update the documentation above, too. Could you contact with our documentation team and update the description?
Thanks for your reminder. I created a bug for documentation: https://bugzilla.suse.com/show_bug.cgi?id=1181033 Sorry for my delay! Joey Lee