Signing custom kernel & modules failed

Hi there,
i am running fedora 35 and had to stick to kernel 5.15 - so i found xanmod-kernels and i am really happy.

But it would be great to have secure boot supported to gain more security.

So i tried to sign the bootloader, the kernel and the modules while running 5.15.27-xm1tt.0.fc35.x86_64 …

This is what i did:

I generated the needed cert & key (MOK.priv, MOK.der, MOK.pem) and imported the der-file via mokutil, rebooted an deployed the key … ( i signed a vboxdrv.ko while running an original fedora kernel and this worked).

Afterwards i ran this script:

###!/bin/sh
sign_kver=“5.15.27-xm1tt.0.fc35.x86_64”

readonly hash_algo=‘sha256’
readonly key=’/root/module-signing/MOK.priv’
readonly x509=’/root/module-signing/MOK.der’
readonly cert=’/root/module-signing/MOK.pem’

The exact location of sign-file might vary depending on your platform.

alias sign-file="/usr/src/kernels/$(uname -r)/scripts/sign-file"

[ -z “${KBUILD_SIGN_PIN}” ] && read -p "Passphrase for ${key}: " KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN

Sign shim64

sbsign --key $key --cert $cert /boot/efi/EFI/fedora/shimx64.efi --output /boot/efi/EFI/fedora/shimx64.efi

Sign kenrel

sbsign --key $key --cert $cert /boot/vmlinuz-$sign_kver --output /boot/vmlinuz-$sign_kver

Sign modules in /lib…

modules=$(find /lib/modules/$sign_kver/ -type f -name ‘*.ko’)
for i in $modules; do sign-file ${hash_algo} ${key} ${x509} $i; done

Sign modules in /usr/lib…

usrmodules=$(find /usr/lib/modules/$sign_kver/ -type f -name ‘*.ko’)
for i in $usrmodules; do sign-file ${hash_algo} ${key} ${x509} $i; done

Install kernel

kernel-install -v add ${sign_kver} /usr/lib/modules/${sign_kver}/vmlinuz

I checked the signature of (all checks were successful):

  1. the bootloader: pesign --show-signature --in=/boot/efi/EFI/fedora/shimx64.efi

Preformatted textcertificate address is 0x7fd2fc659a18
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer’s common name is Microsoft Windows UEFI Driver Publisher
No signer email address.
No signing time included.
There were certs or crls included.

certificate address is 0x7fd2fc65bb58
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer’s common name is t14
The signer’s email address is mail@XXXXX.XX
Signing time: Fri Mar 11, 2022
There were certs or crls included.

  1. the kernel: pesign --show-signature --in=/boot/vmlinuz-$(uname -r)

certificate address is 0x7f7c295a6a48
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer’s common name is t14
The signer’s email address is mail@XXXX.XX
Signing time: Fri Mar 11, 2022
There were certs or crls included.

  1. a module: modinfo -F signer /lib/modules/5.15.27-xm1tt.0.fc35.x86_64/kernel/net/ipv4/gre.ko

t14

So i rebooted, but i get this error message here:

[FAILED] Failed to start Load kernel modules

and afterwards the bootprocess stops …

When secure boot is disbaed in the bios settings, everything works like a charm …

Any hints???

I think the default kernel and modules are already signed and the signature is stored in bios.
You seem to be using a different signature so it may be necessary to put your own signature into bios so the machine can recognize it.

Have not done that so cannot tell you the steps.

1 Like

You’ll definitely need to add your key to your machines bios. The Fedora docs on this might also be helpful:

https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/#_secure_boot

1 Like

Hmmm, i already added the key via: mokutil --import /root/module-signing/MOK.der

I can confirm that this key is deployed …

Since I am not familiar with mok I have to ask this.

Does your command above write to the BIOS key storage area or to the OS key area? There is a distinct difference in function.
The key stored in the BIOS is what is compared to the key residing in the kernel and modules during boot when using secure boot. If matching keys are not found then loading of the kernel and/or modules is prevented.

Below is an image of my BIOS screen related to secure boot on my laptop. I have to leave secure boot disabled since I have an nvidia card and am using their proprietary drivers, but this shows the area where I would access it to store additional keys for use if the utility does not already write the key there. This is also where I can look at exactly what keys are already stored in the BIOS area.

2 Likes

Hi Jeff,
great hint - i did some more research and found this awesome tutorial:

https://sysguides.com/fedora-uefi-secure-boot-with-custom-keys/#12-6-sign-binaries

I followed it step by step (creating, deploying and checking db , pk kek to the bios, signing the shim, kernel, modules) …

But still i get the error-message “Failed to load kernel modules” at the startup …

Anyway, thanks for your help …

1 Like

Can you confirm that you also added the key to your system’s BIOS/UEFI settings (outside of Fedora), similar to what @computersavvy posted above in the screenshot?

Adding and signing with Fedora is half of the equation, but the system BIOS also needs the key at boot in order to trust it. That is something that generally happens outside of Fedora and in your system’s BIOS setup menu.

1 Like

Hi scott,
yes i can:

efi-readvar

Variable PK, length 1719
PK: List 0, type X509
Signature 0, size 1691, owner b95324c8-d00b-41d1-befc-cb276777c504
Subject:
C=DE, ST=NRW, L=Cologne, O=test.test, CN=private, emailAddress=mail@test.test
Issuer:
C=DE, ST=NRW, L=Cologne, O=test.test, CN=private, emailAddress=mail@test.test
Variable KEK, length 1719
KEK: List 0, type X509
Signature 0, size 1691, owner b95324c8-d00b-41d1-befc-cb276777c504
Subject:
C=DE, ST=NRW, L=Cologne, O=test.test, CN=private, emailAddress=mail@test.test
Issuer:
C=DE, ST=NRW, L=Cologne, O=test.test, CN=private, emailAddress=mail@test.test
Variable db, length 1719
db: List 0, type X509
Signature 0, size 1691, owner b95324c8-d00b-41d1-befc-cb276777c504
Subject:
C=DE, ST=NRW, L=Cologne, O=test.test, CN=private, emailAddress=mail@test.test
Issuer:
C=DE, ST=NRW, L=Cologne, O=test.test, CN=private, emailAddress=mail@test.test
Variable dbx has no entries
Variable MokList has no entries

What’s the output of mokutil --list-enrolled?

Hey Scott,
mokutil --list-enrolled showed the right key …

I give up … thank you for your support …