Univention Bugzilla – Bug 38214
Customize kernel module signing key
Last modified: 2018-04-14 14:09:24 CEST
Our signed kernel modules use the default "Magrathea" key, which just looks trange.
We should generate a customized "Univention" key following <https://www.kernel.org/doc/Documentation/module-signing.txt> → "GENERATING SIGNING KEYS", as this (currently) generates some strange errors like
> kernel: Request for unknown module key 'Magrathea: Glacier sining key: ...' err -11
See end of kernel/Makefile: it is enough to provide a custom file x509.genkey.
+++ This bug was initially created as a clone of Bug #36335 +++
With dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 (v3.18-rc1) but without e7c87bef7de2417b219d4dbfe8d33a0098a8df54 (v4.3-rc4) this breaks loading signed modules:
> Request for unknown module key 'Build time autogenerated kernel key: 006416f63733d99e57be1fd3a06d66c85b9e2c23' err -11
I requested the inclusion of said patch into 3.18-4.2
This would allow us to build custom modules for already released kernels.
On the other hand NSA can't force us to give them a key we don't have.
FYI: The name was changed from "O=Magrathea,CN=Glacier signing key" to "CN = Build time autogenerated kernel key" by git:9c4249c8e0221e5cfae758d35b768aee84abf6c0