1615744 – Kernel module signing instructions for Secure Boot contain errors

Bug 1615744 - Kernel module signing instructions for Secure Boot contain errors

Summary: Kernel module signing instructions for Secure Boot contain errors

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora Documentation
Classification:	Fedora
Component:	system-administrator's-guide
Sub Component:
Version:	devel
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Petr Bokoc
QA Contact:	Fedora Docs QA
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-14 07:19 UTC by Andrew Henry
Modified:	2021-01-29 19:19 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Andrew Henry 2018-08-14 07:19:21 UTC

Description of problem:


At the following Documentation address:
https://docs.fedoraproject.org/en-US/fedora/f28/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/#sect-signing-kernel-modules-for-secure-boot

There are a couple of syntax errors regarding listing keyrings and signing a kernel module.


How reproducible: every time


Steps to Reproduce:

1. Reference to "keyctl list %:.system_keyring" is deprecated and should instead be:

keyctl list %:.builtin_trusted_keys

This can be verified by listing the keys:

cat /proc/keys | grep keyring

Note that this error is already discussed in Bug 1509714: https://bugzilla.redhat.com/show_bug.cgi?id=1509714


2. Secondly, the script syntax for signing a kernel module is wrong.  In the documentation it says as follows:

~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko

Running the above gives this error:

Unrecognized character \ ; marked by <-- HERE after <-- HERE near column 1 at /usr/src/linux/scripts/sign-file line 1.

But perl is no longer needed since kernel 4.3.3 and sign-file is now an executable, so it should read like this:

~]# /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko


Additional info:

Comment 1 Andrew Henry 2018-08-14 10:47:33 UTC

Note that to get all info about keys inc Microsodt one, also need to run:

keyctl list %:.secondary_trusted_keys

Comment 2 Marc Methot 2021-01-29 15:18:08 UTC

This has been addressed in the newer docs:
- https://docs.fedoraproject.org/en-US/fedora/f32/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/#sect-signing-kernel-modules-for-secure-boot

Comment 3 nicolasoliver03 2021-01-29 19:19:41 UTC

Great docs!

The only missing thing I see is how you re-sign a module with a custom key.
For example, I am using my own Secure Boot PK, KEK, DB and DBX, and I have a custom signed kernel.
How do I pull already signed modules from the fedora repos and re-sign with my custom key so they can work on Secure Boot.
The docs in https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html does not say anything about it, and assumes you are compiling the module. 
Do you need to remove the previous signature, or can you append the new signature? 

Other than that, I think the docs are great :)

Note You need to log in before you can comment on or make changes to this bug.