Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1615744

Summary: Kernel module signing instructions for Secure Boot contain errors
Product: [Retired] Fedora Documentation Reporter: Andrew Henry <adhenry.9>
Component: system-administrator's-guideAssignee: Petr Bokoc <pbokoc>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Docs QA <docs-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: develCC: mmethot, nicolasoliver03, swadeley
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-21 12:49:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Henry 2018-08-14 07:19:21 UTC
Description of problem:


At the following Documentation address:
https://docs.fedoraproject.org/en-US/fedora/f28/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/#sect-signing-kernel-modules-for-secure-boot

There are a couple of syntax errors regarding listing keyrings and signing a kernel module.


How reproducible: every time


Steps to Reproduce:

1. Reference to "keyctl list %:.system_keyring" is deprecated and should instead be:

keyctl list %:.builtin_trusted_keys

This can be verified by listing the keys:

cat /proc/keys | grep keyring

Note that this error is already discussed in Bug 1509714: https://bugzilla.redhat.com/show_bug.cgi?id=1509714


2. Secondly, the script syntax for signing a kernel module is wrong.  In the documentation it says as follows:

~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko

Running the above gives this error:

Unrecognized character \ ; marked by <-- HERE after <-- HERE near column 1 at /usr/src/linux/scripts/sign-file line 1.

But perl is no longer needed since kernel 4.3.3 and sign-file is now an executable, so it should read like this:

~]# /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko


Additional info:

Comment 1 Andrew Henry 2018-08-14 10:47:33 UTC
Note that to get all info about keys inc Microsodt one, also need to run:

keyctl list %:.secondary_trusted_keys

Comment 3 nicolasoliver03 2021-01-29 19:19:41 UTC
Great docs!

The only missing thing I see is how you re-sign a module with a custom key.
For example, I am using my own Secure Boot PK, KEK, DB and DBX, and I have a custom signed kernel.
How do I pull already signed modules from the fedora repos and re-sign with my custom key so they can work on Secure Boot.
The docs in https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html does not say anything about it, and assumes you are compiling the module. 
Do you need to remove the previous signature, or can you append the new signature? 

Other than that, I think the docs are great :)

Comment 4 Petr Bokoc 2024-05-21 12:49:50 UTC
Looks like the original problem has been addressed. I copied comment #3 into a new issue in GitLab: https://gitlab.com/fedora/docs/fedora-linux-documentation/fedora-linux-sysadmin-guide/-/issues/13 

I'm working on closing all Fedora Docs components in Bugzilla, so please use Gitlab in the future to report any problems.