Bug 1615744

Summary: Kernel module signing instructions for Secure Boot contain errors
Product: [Fedora] Fedora Documentation Reporter: Andrew Henry <adhenry.9>
Component: system-administrator's-guideAssignee: Petr Bokoc <pbokoc>
Status: NEW --- QA Contact: Fedora Docs QA <docs-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: develCC: nicolasoliver03, swadeley
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andrew Henry 2018-08-14 07:19:21 UTC
Description of problem:


At the following Documentation address:
https://docs.fedoraproject.org/en-US/fedora/f28/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/#sect-signing-kernel-modules-for-secure-boot

There are a couple of syntax errors regarding listing keyrings and signing a kernel module.


How reproducible: every time


Steps to Reproduce:

1. Reference to "keyctl list %:.system_keyring" is deprecated and should instead be:

keyctl list %:.builtin_trusted_keys

This can be verified by listing the keys:

cat /proc/keys | grep keyring

Note that this error is already discussed in Bug 1509714: https://bugzilla.redhat.com/show_bug.cgi?id=1509714


2. Secondly, the script syntax for signing a kernel module is wrong.  In the documentation it says as follows:

~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko

Running the above gives this error:

Unrecognized character \ ; marked by <-- HERE after <-- HERE near column 1 at /usr/src/linux/scripts/sign-file line 1.

But perl is no longer needed since kernel 4.3.3 and sign-file is now an executable, so it should read like this:

~]# /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko


Additional info:

Comment 1 Andrew Henry 2018-08-14 10:47:33 UTC
Note that to get all info about keys inc Microsodt one, also need to run:

keyctl list %:.secondary_trusted_keys