Signing DKMS modules #11
Comments
|
Kernel modules should be signed by different key than the bootloader and kernel. Does Debian not do automatic DKMS signing yet? We do in Ubuntu. |
|
Honestly, I have no idea. I could not find anything useful on this matter. So, I guess the support is well hidden or missing. I'm a little bit confused about the module signing. As far as I understand, the kernel validates modules using some EFI service and thus using the db.key, but it also uses some other mechanism to validate upstream modules from the linux-image package, because linux-image-*-unsigned package does not boot due to missing module signatures (but the kernel itself loads, because it is signed by Sicherboot). When not using Shim and Grub, I do not know where the kernel could receive other keys usable for module verification, unless such a key would be compiled into the kernel (I guess that is the case with the distribution key). |
|
Do you have some pointers on how this is done on Ubuntu? |
Since the version 5.4, Linux kernel has lockdown enabled by default when SecureBoot is enabled. Therefore, we have to sign all modules to successfully boot the system. There are plenty of tutorials how to do it with MOK keys and mokutils; however, virtually none of the blogposts and tutorials mention the need to use Shim to provide MOK key validation wrapper in EFI.
When using the SecureBoot in the user mode, we do not need MOK, we just need to sign the modules using DB keys the Sicherboot generates. Therefore, there should be a hook to do this automatically for the modules of the installed kernels.
I tried this for Virtualbox modules built by DKMS in Debian, and it seems to work just fine. I used the following script:
This script is wrong, untested, and probably does the signing in the wrong place. But it does the trick.
The text was updated successfully, but these errors were encountered: