signing kernel modules on RHEL 7

signing kernel modules on RHEL 7

[Chakradhar thota]

Hello Everyone,

I have compiled kernel module on RHEL7 but when I insert the module, I
got following warning

"module verification failed: signature and/or required key missing -
tainting kernel".

I tried signing the module on custom kernel and find it working.
How can we sign the module for a target system with standard RHEL distribution?
where can we find keys for signing the module on standard kernel?

Regards,
Chakradhar

signing kernel modules on RHEL 7

[Saumendra Dash]

>I have compiled kernel module on RHEL7 but when I insert the module, I got following warning

>"module verification failed: signature and/or required key missing - tainting kernel".

>I tried signing the module on custom kernel and find it working.
>How can we sign the module for a target system with standard RHEL distribution?
>where can we find keys for signing the module on standard kernel?

The kernel module signature verification has been enabled for your system, which is giving warnings while  loading modules that has not signed by the vendor. 
Not a big problem though...

Try to compile with the following flags off during menuconfig:
- CONFIG_MODULE_SIG
- CONFIG_MODULE_SIG_ALL

Hope it helps.

Thanks,
Saumendra



::DISCLAIMER::
----------------------------------------------------------------------------------------------------------------------------------------------------

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted,
lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents
(with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates.
Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the
views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of this message without the prior written consent of authorized representative of
HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately.
Before opening any email and/or attachments, please check them for viruses and other defects.

----------------------------------------------------------------------------------------------------------------------------------------------------

signing kernel modules on RHEL 7

[Jerry Snitselaar]

On Wed May 20 15, Chakradhar thota wrote:
> Hello Everyone,
> 
> I have compiled kernel module on RHEL7 but when I insert the module, I
> got following warning
> 
> "module verification failed: signature and/or required key missing -
> tainting kernel".
> 
> I tried signing the module on custom kernel and find it working.
> How can we sign the module for a target system with standard RHEL distribution?
> where can we find keys for signing the module on standard kernel?
> 
> Regards,
> Chakradhar
> 
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Install the kernel-doc package and then look at:

/usr/share/doc/kernel-<insert-your-kernel-version-here>/Documentation/module-signing.txt

signing kernel modules on RHEL 7

[Li Wei]

Hi,

On 05/20/2015 08:41 PM, Chakradhar thota wrote:
> Hello Everyone,
> 
> I have compiled kernel module on RHEL7 but when I insert the module, I
> got following warning
> 
> "module verification failed: signature and/or required key missing -
> tainting kernel".
> 
> I tried signing the module on custom kernel and find it working.
> How can we sign the module for a target system with standard RHEL distribution?
> where can we find keys for signing the module on standard kernel?

You will never get the signing key from RH, it's RH's private key.
You should import your own key into MOK(Machine Owner Key) list and use
your own private key to sign module.

RH has a document on this:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html

> 
> Regards,
> Chakradhar
> 
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
> 

signing kernel modules on RHEL 7

[Chakradhar thota]

Thank you Li Wei.
Is MOK supported in Legacy BIOS? I have tried to import but after
reboot couldn't find the key registered
All articles of Signing kernel modules mention about UEFI enviroment
for registering MOK.
Can we register MOK with Legacy BIOS?

On Thu, May 28, 2015 at 1:14 PM, Li Wei <lw@cn.fujitsu.com> wrote:
> Hi,
>
> On 05/20/2015 08:41 PM, Chakradhar thota wrote:
>> Hello Everyone,
>>
>> I have compiled kernel module on RHEL7 but when I insert the module, I
>> got following warning
>>
>> "module verification failed: signature and/or required key missing -
>> tainting kernel".
>>
>> I tried signing the module on custom kernel and find it working.
>> How can we sign the module for a target system with standard RHEL distribution?
>> where can we find keys for signing the module on standard kernel?
>
> You will never get the signing key from RH, it's RH's private key.
> You should import your own key into MOK(Machine Owner Key) list and use
> your own private key to sign module.
>
> RH has a document on this:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html
>
>>
>> Regards,
>> Chakradhar
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>

signing kernel modules on RHEL 7

[Li Wei]

On 05/28/2015 05:08 PM, Chakradhar thota wrote:
> Thank you Li Wei.
> Is MOK supported in Legacy BIOS? I have tried to import but after

No, MOK is some kind of UEFI things.

MOK is the only way to insert your own public key without recompile kernel.

Thanks.

> reboot couldn't find the key registered
> All articles of Signing kernel modules mention about UEFI enviroment
> for registering MOK.
> Can we register MOK with Legacy BIOS?
> 
> On Thu, May 28, 2015 at 1:14 PM, Li Wei <lw@cn.fujitsu.com> wrote:
>> Hi,
>>
>> On 05/20/2015 08:41 PM, Chakradhar thota wrote:
>>> Hello Everyone,
>>>
>>> I have compiled kernel module on RHEL7 but when I insert the module, I
>>> got following warning
>>>
>>> "module verification failed: signature and/or required key missing -
>>> tainting kernel".
>>>
>>> I tried signing the module on custom kernel and find it working.
>>> How can we sign the module for a target system with standard RHEL distribution?
>>> where can we find keys for signing the module on standard kernel?
>>
>> You will never get the signing key from RH, it's RH's private key.
>> You should import your own key into MOK(Machine Owner Key) list and use
>> your own private key to sign module.
>>
>> RH has a document on this:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html
>>
>>>
>>> Regards,
>>> Chakradhar
>>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>
> .
>