View previous topic :: View next topic |
Author |
Message |
pwnenuser n00b
Joined: 26 Mar 2024 Posts: 4
|
Posted: Wed Apr 03, 2024 2:26 pm Post subject: sign nvidia module while using binary kernel |
|
|
i am using secureboot setup and its working perfectly
but i am facing problem with nvidia modules, its working without secureboot
https://wiki.gentoo.org/wiki/NVIDIA/nvidia-drivers
according to this guide there should be "signing_key.pem" but binary kernel doesnt provide singing keys
https://wiki.gentoo.org/wiki/Signed_kernel_module_support
so i tried to sign nvidia modules manually using the same keys i am using for secure boot, using db keys
Code: | /usr/src/linux/scripts/sign-file sha512 db.key db.pem /lib/modules/6.6.21-gentoo-dist/video/nvidia-uvm.ko |
signed all nvidia modules
db.key
Code: | -----BEGIN PRIVATE KEY-----
.....
-----END PRIVATE KEY----- |
db.pem
Code: | -----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE----- |
i am using unified kernel image and keys are created using sbctl tool
which part i am doing wrong? |
|
Back to top |
|
|
Yamakuzure Advocate
Joined: 21 Jun 2006 Posts: 2287 Location: Adendorf, Germany
|
Posted: Thu Apr 04, 2024 2:13 pm Post subject: |
|
|
I have nvidia-drivers merged with USE="modules-sign" and have this in make.conf:
Code: | $ grep SIGN_ /etc/portage/make.conf
SECUREBOOT_SIGN_KEY="/etc/efikeys/db.key"
SECUREBOOT_SIGN_CERT="/etc/efikeys/db.crt"
MODULES_SIGN_KEY="/etc/efikeys/db.key"
MODULES_SIGN_HASH="sha256"
MODULES_SIGN_CERT="/etc/efikeys/db.crt" |
portage then signs the modules automatically.
See: https://wiki.gentoo.org/wiki/Secure_Boot#USE_flags _________________ Edited 220,176 times by Yamakuzure |
|
Back to top |
|
|
pwnenuser n00b
Joined: 26 Mar 2024 Posts: 4
|
Posted: Thu Apr 04, 2024 9:02 pm Post subject: |
|
|
Quote: |
Code: | $ grep SIGN_ /etc/portage/make.conf
SECUREBOOT_SIGN_KEY="/etc/efikeys/db.key"
SECUREBOOT_SIGN_CERT="/etc/efikeys/db.crt"
MODULES_SIGN_KEY="/etc/efikeys/db.key"
MODULES_SIGN_HASH="sha256"
MODULES_SIGN_CERT="/etc/efikeys/db.crt" |
|
i used this method before doing the manual way even i tried manual way of creating keys and enrolling them as stated here https://wiki.gentoo.org/wiki/Secure_Boot without sbctl but it also did'nt worked, secureboot is working fine
for now i switched back to custom kernel it works pretty wall, and thank you for your response |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4867 Location: Bavaria
|
Posted: Thu Apr 04, 2024 10:13 pm Post subject: |
|
|
pwnenuser wrote: | [...] before doing the manual way [...] |
I dont understand what you mean exactly with this ... but ...
... have you copied (and renamed) your "db.pem" to /usr/src/linux/certs/signing_key.pem ?
Another way is to change the path/file here:
Code: | -*- Cryptographic API --->
Certificates for signature checking --->
(certs/signing_key.pem) File name or PKCS#11 URI of module signing key |
_________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Yamakuzure Advocate
Joined: 21 Jun 2006 Posts: 2287 Location: Adendorf, Germany
|
Posted: Fri Apr 05, 2024 10:08 am Post subject: |
|
|
pietinger wrote: | Another way is to change the path/file here:
Code: | -*- Cryptographic API --->
Certificates for signature checking --->
(certs/signing_key.pem) File name or PKCS#11 URI of module signing key |
|
Please do not forget that you have to combine your key and crt to the pem for the kernel module signng to work.
Example:
Code: | cat /etc/efikeys/db.key /etc/efikeys/db.crt > certs/signing_key.pem |
Personally I do not store it in the certs subfolder, but use a fixed path, so I would not have to copy the pem again after each kernel source update. _________________ Edited 220,176 times by Yamakuzure |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4867 Location: Bavaria
|
Posted: Fri Apr 05, 2024 2:17 pm Post subject: |
|
|
Yamakuzure wrote: | Please do not forget that you have to combine your key and crt to the pem for the kernel module signng to work.
Example:
Code: | cat /etc/efikeys/db.key /etc/efikeys/db.crt > certs/signing_key.pem |
|
Yes, I have indeed forgotten it again and thank you very much for reminding me. We already had a post about it in our forum, but unfortunately I can't find it again. _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
|