2

Issue:

I'm trying to use signed kernel modules, but getting a failure for the insmod command:

PKCS#7 signature not signed with a trusted key

There is a potentially related error message during Linux boot:

[    3.342888] Loading compiled-in X.509 certificates
[    3.391774] Problem loading in-kernel X.509 certificate (-129)

The command cat /proc/keys shows .builtin_trusted_keys: empty

Setup:

The 4.9.x kernel was compiled with the following defconfig options:

...
CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODVERSIONS=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_SHA256=y
CONFIG_MODULE_SIG_HASH="sha256"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_KEYS_DEBUG_PROC_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_PATH=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_SECURITY_SMACK=y
CONFIG_SECURITY_SMACK_BRINGUP=y
CONFIG_DEFAULT_SECURITY_DAC=y
...

Modules were signed with a command: sign-file sha256 certs/signing_key.pem certs/signing_key.x509 <.ko>

Comments:

I assume I need to fix the in-kernel X.509 certificate loading error, but I haven't come across how to do that. I thought the file certs/signing_key.pem generated during kernel compilation would be wrapped into the kernel but it appears not based on /proc/keys. I don't want to disable signing or allow unsigned modules, I just want to sign them properly with a trusted key. If anyone has advice, that would be much appreciated.

The posts I've found regarding nvidia drivers and Ubuntu/Fedora haven't yielded any progress yet. Example: PKCS#7 signature not signed with a trusted key

bjornruffians
  • 133

2 Answers2

1

I think the kernel compilation expects the signing_key.* files in the base directory of the kernel source tree and not under a ”certs” subdirectory. The compilation process should automatically sign the standard modules for you; only third-party modules should need manual signing.

Also, my old script for compiling a 4.9.* kernel with signed modules had the certificate file in DER format. Perhaps it was necessary?

In the 4.14 and newer kernels, the procedure is a bit different: there is a kernel configuration option for specifying the pathname of the certificate file.

telcoM
  • 96,466
  • I tried specifying SYSTEM_TRUSTED_KEYS=certs/signing_key.pem, but the result was the same. I think you are on to something regarding paths though. – bjornruffians Oct 01 '18 at 13:32
  • Another data point: I did not create the files certs/signing_key.*. They were created during the kernel build process at that location. That's why I'm a bit confused why the kernel isn't pulling the key in by default. – bjornruffians Oct 01 '18 at 13:48
0

@bjornruffians You can create your own x509.genekey file and copy it in source of kernel i.e. in certs/ folder before compilation. Warning: do not copy your custom/manual generated signing_key.pem or any other file except x509.genekey in cert folder because kernel will auto generate signing_key.x509 and signing_key.pem file with respect to your x509.genekey file.

bhagwan naigaonkar
  • 1