You are not logged in.
- Topics: Active | Unanswered
#1 2022-09-24 19:32:06
- leomeinel
- Member
- Registered: 2022-08-01
- Posts: 34
[SOLVED] Sign out of tree kernel modules for linux & linux-lts
Hello,
I am getting more and more frustrated while trying to find a solution to sign kernel modules automatically on each update. I did a lot of research on the topic but couldn't find a good solution for Arch.
I really don't know a lot about the topic since I just started using secureboot and enforcing signed kernel modules for my system so I am getting a bit overwhelmed.
I read through these articles:
Arch Wiki - Signed_kernel_modules
Debian Wiki - SecureBoot#MOK
Redhat - signing-kernel-modules
dkms-module-signing.md
By now I couldn't really find a good way to do what I want and the arch-sign-modules AUR package also didn't really help me.
I know this might be too much to ask for since I could probably find a way myself by doing more research, but maybe someone has a good solution that I could implement (using pacman hooks for example).
The Arch Wiki article also assumes the use of a custom kernel for some reason which confuses me even more.
The out of tree kernel modules I'd want to sign are:
acpi_call, nvidia, nvidia_modeset, nvidia_uvm, nvidia_drmAnd if possible I'd want to use nvidia-dkms and acpi_call-dkms as packages providing those kernel modules since I would want to use linux-zen and linux-hardened kernels aswell.
My exact setup I want to do this on can be seen here
Feel free to ignore this since I should probably just try to find a way myself!
Thanks in advance for any help on this 
Last edited by leomeinel (2022-09-25 14:23:27)
Offline
#2 2022-09-24 21:45:21
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 8,999
- Website
Re: [SOLVED] Sign out of tree kernel modules for linux & linux-lts
That's not about SecureBoot.
Neither is that.
Here is Debian's sign-file script: https://salsa.debian.org/kernel-team/li … ile-attach
Ubuntu have a patch for sbsigntools that provides a kmodsign command: https://bbs.archlinux.org/viewtopic.php … 7#p2021657
Jin, Jîyan, Azadî
Offline
#3 2022-09-24 23:46:21
- leomeinel
- Member
- Registered: 2022-08-01
- Posts: 34
Re: [SOLVED] Sign out of tree kernel modules for linux & linux-lts
leomeinel wrote:That's not about SecureBoot.
leomeinel wrote:Neither is that.
Here is Debian's sign-file script: https://salsa.debian.org/kernel-team/li … ile-attach
Ubuntu have a patch for sbsigntools that provides a kmodsign command: https://bbs.archlinux.org/viewtopic.php … 7#p2021657
Thanks a lot for the provided information! The thing that I don't really understand is that my secureboot works just fine!
Also kernel modules get loaded (btrfs for example) but any out of tree kernel module won't load (acpi_call, nvidia, ...).
If using secureboot and using the module.sig_enforce=1 kernel parameter, would I have to rely on the linked Debian/Ubuntu script and the patch?
Or is there a simple way to implement this with Arch.
As I said I am very unexperienced with secureboot and signing kernel modules myself.
So I really don't know what is actually necessary to get my out of tree kernel modules signed.
And another thing that I don't really get is if secureboot has anything to do with this or if it is not related to that at all since I read contradicting information basically everywhere I looked. Because as I'd see it secureboot shouldn't matter after the boot process.
Last edited by leomeinel (2022-09-24 23:51:49)
Offline
#4 2022-09-25 09:11:48
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 8,999
- Website
Re: [SOLVED] Sign out of tree kernel modules for linux & linux-lts
You are conflating verified kernel modules with modules that have been signed with a SecureBoot key.
If you want your out-of-tree kernel modules to work with SecureBoot then you will have to sign them with the same key used for the kernel.
Jin, Jîyan, Azadî
Offline
#5 2022-09-25 10:05:28
- leomeinel
- Member
- Registered: 2022-08-01
- Posts: 34
Re: [SOLVED] Sign out of tree kernel modules for linux & linux-lts
You are conflating verified kernel modules with modules that have been signed with a SecureBoot key.
If you want your out-of-tree kernel modules to work with SecureBoot then you will have to sign them with the same key used for the kernel.
Thanks again for your reply,
I will mark this as solved and try to find a solution to this
I didn't even know that secureboot required the modules to be signed aswell so thank you very much for clearing up a lot of my confusions about the topic.
Offline