CentOS - Mar 2020 - signing modules

HI all- Thanks for the comments. However -I'm getting no where.

Let me start again.

My 'hardware" does not have the ability to turn off secure boot. Its an
Intel NUC7C - not possible.
SO instead of my generic "image" i have that I copy to physical disk
(has
all my install,setup etc... everything ready).
I created a new UEFI disk that again has everything setup and ready.   All
works on teh image.

Then when I copy to the image and boot up - I noticed things are not quite
right.
This one module is one example.
I think there are others I have not noticed yet.

So "how" can I create an image for UEFI that has everything setup -
and
then copy that image to a physical disk and expect everything to still be
the same and working?

Thanks,

Jerry

Ok  I tried signing a module... Did not work.

+ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER
-out MOK.der -nodes -days 36500 -subj '/CN=dahdi Modules/'
Generating a 2048 bit RSA private key
......................................+++
..............................................................................+++
writing new private key to 'MOK.priv'
-----
++ uname -r
++ modinfo -n dahdi
+ /usr/src/kernels/3.10.0-1062.12.1.el7.x86_64/scripts/sign-file sha256
./MOK.priv ./MOK.der /lib/modules/3.10.0-1062.12.1.el7.x86_64/dahdi/dahdi.ko

 service dahdi restart
Restarting dahdi (via systemctl):  Job for dahdi.service failed because the
control process exited with error code. See "systemctl status
dahdi.service" and "journalctl -xe" for details.
      [FAILED]

Mar 16 16:20:12  dahdi[12787]: Loading DAHDI hardware modules:
Mar 16 16:20:12  dahdi[12787]: modprobe: ERROR: could not insert
'dahdi':
Required key not available
Mar 16 16:20:12  kernel: Request for unknown module key 'dahdi Modules:
3e93f14b19188e27f6dbfaf5ad47474abb9606fc' err -11

Did I miss something ?

Jerry

On 16/03/2020 20:23, Jerry Geis wrote:
> Ok  I tried signing a module... Did not work.
> 
> + openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER
> -out MOK.der -nodes -days 36500 -subj '/CN=dahdi Modules/'
> Generating a 2048 bit RSA private key
> ......................................+++
>
..............................................................................+++
> writing new private key to 'MOK.priv'
> -----
> ++ uname -r
> ++ modinfo -n dahdi
> + /usr/src/kernels/3.10.0-1062.12.1.el7.x86_64/scripts/sign-file sha256
> ./MOK.priv ./MOK.der
/lib/modules/3.10.0-1062.12.1.el7.x86_64/dahdi/dahdi.ko
> 
>   service dahdi restart
> Restarting dahdi (via systemctl):  Job for dahdi.service failed because the
> control process exited with error code. See "systemctl status
> dahdi.service" and "journalctl -xe" for details.
>        [FAILED]
> 
> Mar 16 16:20:12  dahdi[12787]: Loading DAHDI hardware modules:
> Mar 16 16:20:12  dahdi[12787]: modprobe: ERROR: could not insert
'dahdi':
> Required key not available
> Mar 16 16:20:12  kernel: Request for unknown module key 'dahdi Modules:
> 3e93f14b19188e27f6dbfaf5ad47474abb9606fc' err -11
> 
> Did I miss something ?
> 
Looks like you did not enroll your signing key in the MOK list as the 
kernel is telling you it can not find your key to verify the signing of 
the module?

Read the two links I posted earlier, and links therein. That is the best 
documentation that exists AFAIK.

Phil

Hi Phil,

Your correct. I missed a step about importing the key:
mokutil --import MOK.der

So then I rebooted entered teh MOK, accepted all certs and rebooted and it
loaded.

I only have one problem with this... many of my systems are remote. I "will
not" be able to remotely enter the MOK and accept the certs etc... How do I
get around this?  Recall that my hardware (NUC7C) does not allow to disable
UEFI.  So I have to use UEFI.

Thanks for all the suggestions.

Jerry