Is there an "easy" way to just sign all kernel modules in the /lib/modules directory ? I'm getting an error about a module not being signed so not loading. CentOS 7.7 UEFI booting. (I cannot remove UEFI as hardware does not allow it). Thanks, Jerry
> > I'm getting an error about a module not being signed so not loading. > CentOS 7.7 UEFI booting. (I cannot remove UEFI as hardware does not allow > it). >You need to turn off secure booting - you can still boot using UEFI, but if secure booting is turned on the kernel doesn't allow unsigned modules. P.
>You need to turn off secure booting - you can still boot using UEFI, >but if secure booting is turned on the kernel doesn't allow unsigned >modules.Thanks - so is that command line to run ? Config file to edit ? I ran mokutil --disable-verification and rebooted I dont desire that MOK management screen to show - how do you get rid of that ? After rebooting my module still does not load. Jerry
On Mon, 16 Mar 2020 at 12:43, Jerry Geis <jerry.geis at gmail.com> wrote:> >You need to turn off secure booting - you can still boot using UEFI, > >but if secure booting is turned on the kernel doesn't allow unsigned > >modules. > > Thanks - so is that command line to run ? Config file to edit ? > >secure boot is in your hardware UEFI/BIOS setup. Basically ring -1 or -2 on the hardware. Nothing in the OS can turn this on or off as that is the purpose of this control to make sure a virus can not fool the hardware into using bad kernel level code.> I ran mokutil --disable-verification and rebooted > I dont desire that MOK management screen to show - how do you get rid of > that ? > > After rebooting my module still does not load. > > Jerry > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- Stephen J Smoogen.
On Mon, 2020-03-16 at 12:42 -0400, Jerry Geis wrote:> > You need to turn off secure booting - you can still boot using UEFI, > > but if secure booting is turned on the kernel doesn't allow unsigned > > modules. > > Thanks - so is that command line to run ? Config file to edit ? >It's a BIOS setting. P.
On 16/03/2020 16:42, Jerry Geis wrote:>> You need to turn off secure booting - you can still boot using UEFI, >> but if secure booting is turned on the kernel doesn't allow unsigned >> modules. > > Thanks - so is that command line to run ? Config file to edit ? > > I ran mokutil --disable-verification and rebooted > I dont desire that MOK management screen to show - how do you get rid of > that ? > > After rebooting my module still does not load. >Rather than disabling a security feature, why don't you generate a Secure Boot signing key and sign your module? Please see the RHEL documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-kernel-modules-for-secure-boot.html Elrepo has a guide here on how to import your Secure Boot signing key once you have signed your module: http://elrepo.org/tiki/SecureBootKey Phil
HI all- Thanks for the comments. However -I'm getting no where. Let me start again. My 'hardware" does not have the ability to turn off secure boot. Its an Intel NUC7C - not possible. SO instead of my generic "image" i have that I copy to physical disk (has all my install,setup etc... everything ready). I created a new UEFI disk that again has everything setup and ready. All works on teh image. Then when I copy to the image and boot up - I noticed things are not quite right. This one module is one example. I think there are others I have not noticed yet. So "how" can I create an image for UEFI that has everything setup - and then copy that image to a physical disk and expect everything to still be the same and working? Thanks, Jerry