Description of problem: At the following Documentation address: https://docs.fedoraproject.org/en-US/fedora/f28/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/#sect-signing-kernel-modules-for-secure-boot There are a couple of syntax errors regarding listing keyrings and signing a kernel module. How reproducible: every time Steps to Reproduce: 1. Reference to "keyctl list %:.system_keyring" is deprecated and should instead be: keyctl list %:.builtin_trusted_keys This can be verified by listing the keys: cat /proc/keys | grep keyring Note that this error is already discussed in Bug 1509714: https://bugzilla.redhat.com/show_bug.cgi?id=1509714 2. Secondly, the script syntax for signing a kernel module is wrong. In the documentation it says as follows: ~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file \ > sha256 \ > my_signing_key.priv \ > my_signing_key_pub.der \ > my_module.ko Running the above gives this error: Unrecognized character \ ; marked by <-- HERE after <-- HERE near column 1 at /usr/src/linux/scripts/sign-file line 1. But perl is no longer needed since kernel 4.3.3 and sign-file is now an executable, so it should read like this: ~]# /usr/src/kernels/$(uname -r)/scripts/sign-file \ > sha256 \ > my_signing_key.priv \ > my_signing_key_pub.der \ > my_module.ko Additional info:
Note that to get all info about keys inc Microsodt one, also need to run: keyctl list %:.secondary_trusted_keys
This has been addressed in the newer docs: - https://docs.fedoraproject.org/en-US/fedora/f32/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/#sect-signing-kernel-modules-for-secure-boot
Great docs! The only missing thing I see is how you re-sign a module with a custom key. For example, I am using my own Secure Boot PK, KEK, DB and DBX, and I have a custom signed kernel. How do I pull already signed modules from the fedora repos and re-sign with my custom key so they can work on Secure Boot. The docs in https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html does not say anything about it, and assumes you are compiling the module. Do you need to remove the previous signature, or can you append the new signature? Other than that, I think the docs are great :)