{"id":246,"date":"2017-06-08T10:06:54","date_gmt":"2017-06-08T10:06:54","guid":{"rendered":"http:\/\/open-cells.com\/?p=246"},"modified":"2019-02-04T16:41:08","modified_gmt":"2019-02-04T16:41:08","slug":"kernel-module-uefi-secure-boot","status":"publish","type":"post","link":"https:\/\/open-cells.com\/index.php\/2017\/06\/08\/kernel-module-uefi-secure-boot\/","title":{"rendered":"kernel module in UEFI secure boot"},"content":{"rendered":"<p>Signed kernel module: how to<\/p>\n<ul>\n<li>Compilation of a kernel module like this example\n<ul>\n<li><em>cd opencells-mods\/gtp_mod<\/em><\/li>\n<li><em>make -C \/lib\/modules\/$(uname -r)\/build M=$PWD<\/em><\/li>\n<li><em>sudo cp gtp.ko \/lib\/modules\/$(uname -r)\/kernel\/drivers\/net\/gtp.ko<\/em><\/li>\n<\/ul>\n<\/li>\n<li>But, despite we just compiled it successfully,\u00a0 the module can&#8217;t be loaded\n<ul>\n<li><em>modprobe gtp<\/em><\/li>\n<li><strong><em>ERROR: could not insert &#8216;gtp&#8217;: Operation not permitted<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>your kernel boot is in &#8220;secure boot&#8221;, the module can&#8217;t be loaded<\/p>\n<p>This issue occurs also with other modules in AOI, like ue_ip.kp<\/p>\n<ul>\n<li>Solution 1\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Remove &#8220;secure boot&#8221; entirely<\/li>\n<li>depends on UEFI bios<\/li>\n<li>Can be done by<span id=\"yui_3_16_0_ym19_1_1520262637894_3139\" style=\"color: #cd232c;\"><span id=\"yui_3_16_0_ym19_1_1520262637894_3139\" style=\"color: #cd232c;\"><\/span><\/span><\/li>\n<li>\n<pre><code>sudo apt install mokutil\n<\/code>\n<code>sudo mokutil --disable-validation<\/code><\/pre>\n<\/li>\n<li>After this, reboot\u00a0 the computer, the UEFI bios should ask for the password you set with &#8220;mokutil&#8221;, then ask to accept to disable secure boot<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Solution 2\n<ul>\n<li>Sign your modules<\/li>\n<li>add you own signature to valid signatures\n<ul>\n<li>create ciphering keys<\/li>\n<li>\n<pre><em>openssl req -new -x509 -newkey rsa:2048 -keyout OCP.priv -outform DER -out OCP.der -nodes -days 36500 -subj \"\/CN=OpenCells\/\"<\/em><\/pre>\n<\/li>\n<li>keep the two files OCP.der, OCP.priv as you&#8217;ll need it to sign your kernel modules<\/li>\n<li>import it in UEFI boot<\/li>\n<li>\n<pre><em>sudo mokutil --import OCP.der<\/em><\/pre>\n<\/li>\n<li>It asks for a password: put any string, you&#8217;ll need it once, at next reboot, to secure the new ciphering enrolling<\/li>\n<li>You need to reboot the machine to enroll this new key<\/li>\n<\/ul>\n<\/li>\n<li>Now you can sign your modules\n<ul>\n<li>each time you compile a module, you have to sign it<\/li>\n<li>(after: <em>sudo cp gtp.ko \/lib\/modules\/`uname -r`\/kernel\/drivers\/net\/gtp.ko<\/em>)<\/li>\n<\/ul>\n<\/li>\n<li>\n<pre><em>sudo \/usr\/src\/linux-headers-$(uname -r)\/scripts\/sign-file sha256 .\/OCP.priv .\/OCP.der $(modinfo -n gtp)<\/em><\/pre>\n<\/li>\n<li>now &#8220;<em>sudo modprobe gtp&#8221;\u00a0 <\/em>should not complain anymore<\/li>\n<\/ul>\n<\/li>\n<li>You&#8217;ll need to compile and update the module after each Ubuntu kernel upgrades<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Signed kernel module: how to Compilation of a kernel module like this example cd opencells-mods\/gtp_mod make -C \/lib\/modules\/$(uname -r)\/build M=$PWD sudo cp gtp.ko \/lib\/modules\/$(uname -r)\/kernel\/drivers\/net\/gtp.ko But, despite we just compiled it successfully,\u00a0 the module can&#8217;t be loaded modprobe gtp ERROR: could not insert &#8216;gtp&#8217;: Operation not permitted your kernel boot is in &#8220;secure boot&#8221;, the &hellip; <a href=\"https:\/\/open-cells.com\/index.php\/2017\/06\/08\/kernel-module-uefi-secure-boot\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;kernel module in UEFI secure boot&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-246","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/posts\/246","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/comments?post=246"}],"version-history":[{"count":7,"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/posts\/246\/revisions"}],"predecessor-version":[{"id":1035,"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/posts\/246\/revisions\/1035"}],"wp:attachment":[{"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/media?parent=246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/categories?post=246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/open-cells.com\/index.php\/wp-json\/wp\/v2\/tags?post=246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}