kernel module in UEFI secure boot

Signed kernel module: how to

  • Compilation of a kernel module like this example
    • cd opencells-mods/gtp_mod
    • make -C /lib/modules/$(uname -r)/build M=$PWD
    • sudo cp gtp.ko /lib/modules/$(uname -r)/kernel/drivers/net/gtp.ko
  • But, despite we just compiled it successfully,  the module can’t be loaded
    • modprobe gtp
    • ERROR: could not insert ‘gtp’: Operation not permitted

your kernel boot is in “secure boot”, the module can’t be loaded

This issue occurs also with other modules in AOI, like

  • Solution 1
      • Remove “secure boot” entirely
      • depends on UEFI bios
      • Can be done by
      • sudo apt install mokutil
        sudo mokutil --disable-validation
      • After this, reboot  the computer, the UEFI bios should ask for the password you set with “mokutil”, then ask to accept to disable secure boot
  • Solution 2
    • Sign your modules
    • add you own signature to valid signatures
      • create ciphering keys
      • openssl req -new -x509 -newkey rsa:2048 -keyout OCP.priv -outform DER -out OCP.der -nodes -days 36500 -subj "/CN=OpenCells/"
      • keep the two files OCP.der, OCP.priv as you’ll need it to sign your kernel modules
      • import it in UEFI boot
      • sudo mokutil --import OCP.der
      • It asks for a password: put any string, you’ll need it once, at next reboot, to secure the new ciphering enrolling
      • You need to reboot the machine to enroll this new key
    • Now you can sign your modules
      • each time you compile a module, you have to sign it
      • (after: sudo cp gtp.ko /lib/modules/`uname -r`/kernel/drivers/net/gtp.ko)
    • sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./OCP.priv ./OCP.der $(modinfo -n gtp)
    • now “sudo modprobe gtp”  should not complain anymore
  • You’ll need to compile and update the module after each Ubuntu kernel upgrades

Leave a Reply

Your email address will not be published. Required fields are marked *