Bug 1615744

Summary: Kernel module signing instructions for Secure Boot contain errors
Product: [Fedora] Fedora Documentation Reporter: Andrew Henry <adhenry.9>
Component: system-administrator's-guideAssignee: Petr Bokoc <pbokoc>
Status: NEW --- QA Contact: Fedora Docs QA <docs-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: develCC: nicolasoliver03, swadeley
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andrew Henry 2018-08-14 07:19:21 UTC
Description of problem:

At the following Documentation address:

There are a couple of syntax errors regarding listing keyrings and signing a kernel module.

How reproducible: every time

Steps to Reproduce:

1. Reference to "keyctl list %:.system_keyring" is deprecated and should instead be:

keyctl list %:.builtin_trusted_keys

This can be verified by listing the keys:

cat /proc/keys | grep keyring

Note that this error is already discussed in Bug 1509714: https://bugzilla.redhat.com/show_bug.cgi?id=1509714

2. Secondly, the script syntax for signing a kernel module is wrong.  In the documentation it says as follows:

~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko

Running the above gives this error:

Unrecognized character \ ; marked by <-- HERE after <-- HERE near column 1 at /usr/src/linux/scripts/sign-file line 1.

But perl is no longer needed since kernel 4.3.3 and sign-file is now an executable, so it should read like this:

~]# /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko

Additional info:

Comment 1 Andrew Henry 2018-08-14 10:47:33 UTC
Note that to get all info about keys inc Microsodt one, also need to run:

keyctl list %:.secondary_trusted_keys