Due to a recent update on Javascript code a full page refresh on your browser might be needed.
Bug 1615744 - Kernel module signing instructions for Secure Boot contain errors
Summary: Kernel module signing instructions for Secure Boot contain errors
Keywords:
Status: NEW
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: system-administrator's-guide
Version: devel
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Petr Bokoc
QA Contact: Fedora Docs QA
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-14 07:19 UTC by Andrew Henry
Modified: 2019-10-17 20:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Andrew Henry 2018-08-14 07:19:21 UTC
Description of problem:


At the following Documentation address:
https://docs.fedoraproject.org/en-US/fedora/f28/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/#sect-signing-kernel-modules-for-secure-boot

There are a couple of syntax errors regarding listing keyrings and signing a kernel module.


How reproducible: every time


Steps to Reproduce:

1. Reference to "keyctl list %:.system_keyring" is deprecated and should instead be:

keyctl list %:.builtin_trusted_keys

This can be verified by listing the keys:

cat /proc/keys | grep keyring

Note that this error is already discussed in Bug 1509714: https://bugzilla.redhat.com/show_bug.cgi?id=1509714


2. Secondly, the script syntax for signing a kernel module is wrong.  In the documentation it says as follows:

~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko

Running the above gives this error:

Unrecognized character \ ; marked by <-- HERE after <-- HERE near column 1 at /usr/src/linux/scripts/sign-file line 1.

But perl is no longer needed since kernel 4.3.3 and sign-file is now an executable, so it should read like this:

~]# /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko


Additional info:

Comment 1 Andrew Henry 2018-08-14 10:47:33 UTC
Note that to get all info about keys inc Microsodt one, also need to run:

keyctl list %:.secondary_trusted_keys


Note You need to log in before you can comment on or make changes to this bug.