Signed kernel module: how to
- Compilation of a kernel module like this example
- cd opencells-mods/gtp_mod
- make -C /lib/modules/$(uname -r)/build M=$PWD
- sudo cp gtp.ko /lib/modules/$(uname -r)/kernel/drivers/net/gtp.ko
- But, despite we just compiled it successfully, the module can’t be loaded
- modprobe gtp
- ERROR: could not insert ‘gtp’: Operation not permitted
your kernel boot is in “secure boot”, the module can’t be loaded
This issue occurs also with other modules in AOI, like ue_ip.kp
- Solution 1
-
- Remove “secure boot” entirely
- depends on UEFI bios
- Can be done by
-
sudo apt install mokutilsudo mokutil --disable-validation - After this, reboot the computer, the UEFI bios should ask for the password you set with “mokutil”, then ask to accept to disable secure boot
-
- Solution 2
- Sign your modules
- add you own signature to valid signatures
- create ciphering keys
-
openssl req -new -x509 -newkey rsa:2048 -keyout OCP.priv -outform DER -out OCP.der -nodes -days 36500 -subj "/CN=OpenCells/"
- keep the two files OCP.der, OCP.priv as you’ll need it to sign your kernel modules
- import it in UEFI boot
-
sudo mokutil --import OCP.der
- It asks for a password: put any string, you’ll need it once, at next reboot, to secure the new ciphering enrolling
- You need to reboot the machine to enroll this new key
- Now you can sign your modules
- each time you compile a module, you have to sign it
- (after: sudo cp gtp.ko /lib/modules/`uname -r`/kernel/drivers/net/gtp.ko)
-
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./OCP.priv ./OCP.der $(modinfo -n gtp)
- now “sudo modprobe gtp” should not complain anymore
- You’ll need to compile and update the module after each Ubuntu kernel upgrades