Univention Bugzilla – Bug 36335
Sign kernel modules for UEFI Secure Boot
Last modified: 2015-10-14 12:17:05 CEST
We need at least: CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_FORCE needs to be checked.
root@master701:~# grep CONFIG_MODULE_SIG /boot/config-3.16-ucs89-amd64 CONFIG_MODULE_SIG=y # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set # CONFIG_MODULE_SIG_SHA224 is not set # CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA384 is not set CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" root@master701:~#
Modules currently seem to not contain the signature. Signatures seem to be removed by strip: <http://wiki.gentoo.org/index.php?oldid=109463#Validating_module_signature_support>
I've added a manual sign command to the rules file. ucs102 has signed modules: root@master501:~# hexdump -C /lib/modules/3.16-ucs102-amd64/kernel/arch/x86/crypto/aes-x86_64.ko | tail -n 4 00005e10 14 00 00 00 00 00 02 02 7e 4d 6f 64 75 6c 65 20 |........~Module | 00005e20 73 69 67 6e 61 74 75 72 65 20 61 70 70 65 6e 64 |signature append| 00005e30 65 64 7e 0a |ed~.| 00005e34 root@master501:~# (In reply to Janek Walkenhorst from comment #2) > Signatures seem to be removed by strip: Without the strip command the kernel package is more than 300 MB instead of 30 MB.
Modules are signed, invalid signatures do not load.
UCS 4.0-0 has been released: http://docs.univention.de/release-notes-4.0-0-en.html http://docs.univention.de/release-notes-4.0-0-de.html If this error occurs again, please use "Clone This Bug".