Problem using signed kernel module


I installed VirtualBox but since SecureBoot is enabled, i need to sign Vbox’s kernel modules first.
I followed Fedora guide regarding signing kernel modules with no luck.

I’ve generated x.509 key pair, then imported the public key using mokutil --import and then rebooted to enroll the key. It’s shown in mokutil as enrolled, and it’s listed in keyctl list %:.platform (FedoraDocs states it should be in the builtin_trusted_keys keyring, not in ‘platform’, maybe that’s the problem).

But after signing the modules, modprobe vboxdrv gets PKCS#7 signature not signed with a trusted key error.

I’ve used /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./private_key.priv ./public_key.der $module_name_here to sign the modules.

sign-file takes an argument to a file, not a module. Make the last command sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./private_key.priv ./public_key.der $(modinfo -n <module name here>)

Edit: You say that you are using Fedora 29. Which kernel version? There were two bugs that affected some 5.0.x versions; one allowed unsigned modules to load under kernel lockdown (which secure boot triggers to have secure boot-esque features once the system has booted. No matter, you can look into it if you want), the other stopped accepting user-generated keys (or something along those lines. I didn’t understand this one as well and just waited for an update). I think that kernel 5.0.11 fixes both for fedora 29.