up vote 1 down vote favorite

Issue:

I'm trying to use signed kernel modules, but getting a failure for the insmod command:

PKCS#7 signature not signed with a trusted key

There is a potentially related error message during Linux boot:

[    3.342888] Loading compiled-in X.509 certificates
[    3.391774] Problem loading in-kernel X.509 certificate (-129)

The command cat /proc/keys shows .builtin_trusted_keys: empty

Setup:

The 4.9.x kernel was compiled with the following defconfig options:

...
CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODVERSIONS=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_SHA256=y
CONFIG_MODULE_SIG_HASH="sha256"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_KEYS_DEBUG_PROC_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_PATH=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_SECURITY_SMACK=y
CONFIG_SECURITY_SMACK_BRINGUP=y
CONFIG_DEFAULT_SECURITY_DAC=y
...

Modules were signed with a command: sign-file sha256 certs/signing_key.pem certs/signing_key.x509 <.ko>

Comments:

I assume I need to fix the in-kernel X.509 certificate loading error, but I haven't come across how to do that. I thought the file certs/signing_key.pem generated during kernel compilation would be wrapped into the kernel but it appears not based on /proc/keys. I don't want to disable signing or allow unsigned modules, I just want to sign them properly with a trusted key. If anyone has advice, that would be much appreciated.

The posts I've found regarding nvidia drivers and Ubuntu/Fedora haven't yielded any progress yet. Example: PKCS#7 signature not signed with a trusted key

share|improve this question
New contributor
bornruffians is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
up vote 0 down vote

I think the kernel compilation expects the signing_key.* files in the base directory of the kernel source tree and not under a ”certs” subdirectory. The compilation process should automatically sign the standard modules for you; only third-party modules should need manual signing.

Also, my old script for compiling a 4.9.* kernel with signed modules had the certificate file in DER format. Perhaps it was necessary?

In the 4.14 and newer kernels, the procedure is a bit different: there is a kernel configuration option for specifying the pathname of the certificate file.

share|improve this answer

Your Answer

bornruffians is a new contributor. Be nice, and check out our Code of Conduct.
 

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.