| View previous topic :: View next topic |
| Author |
Message |
pwnenuser
n00b
Joined: 26 Mar 2024
Posts: 4
|
 Posted: Wed Apr 03, 2024 2:26 pm Post subject: sign nvidia module while using binary kernel |
 |
|
i am using secureboot setup and its working perfectly
but i am facing problem with nvidia modules, its working without secureboot
https://wiki.gentoo.org/wiki/NVIDIA/nvidia-drivers
according to this guide there should be "signing_key.pem" but binary kernel doesnt provide singing keys
https://wiki.gentoo.org/wiki/Signed_kernel_module_support
so i tried to sign nvidia modules manually using the same keys i am using for secure boot, using db keys
| Code: | | /usr/src/linux/scripts/sign-file sha512 db.key db.pem /lib/modules/6.6.21-gentoo-dist/video/nvidia-uvm.ko |
signed all nvidia modules
db.key
| Code: | -----BEGIN PRIVATE KEY-----
.....
-----END PRIVATE KEY----- |
db.pem
| Code: | -----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE----- |
i am using unified kernel image and keys are created using sbctl tool
which part i am doing wrong? |
|
| Back to top |
|
 |
Yamakuzure
Advocate
Joined: 21 Jun 2006
Posts: 2284
Location: Adendorf, Germany
|
| Posted: Thu Apr 04, 2024 2:13 pm Post subject: |
|
|
I have nvidia-drivers merged with USE="modules-sign" and have this in make.conf:
| Code: | $ grep SIGN_ /etc/portage/make.conf
SECUREBOOT_SIGN_KEY="/etc/efikeys/db.key"
SECUREBOOT_SIGN_CERT="/etc/efikeys/db.crt"
MODULES_SIGN_KEY="/etc/efikeys/db.key"
MODULES_SIGN_HASH="sha256"
MODULES_SIGN_CERT="/etc/efikeys/db.crt" |
portage then signs the modules automatically.
See: https://wiki.gentoo.org/wiki/Secure_Boot#USE_flags
_________________
Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
| Back to top |
|
|
pwnenuser
n00b
Joined: 26 Mar 2024
Posts: 4
|
| Posted: Thu Apr 04, 2024 9:02 pm Post subject: |
|
|
| Quote: |
| Code: | $ grep SIGN_ /etc/portage/make.conf
SECUREBOOT_SIGN_KEY="/etc/efikeys/db.key"
SECUREBOOT_SIGN_CERT="/etc/efikeys/db.crt"
MODULES_SIGN_KEY="/etc/efikeys/db.key"
MODULES_SIGN_HASH="sha256"
MODULES_SIGN_CERT="/etc/efikeys/db.crt" |
|
i used this method before doing the manual way even i tried manual way of creating keys and enrolling them as stated here https://wiki.gentoo.org/wiki/Secure_Boot without sbctl but it also did'nt worked, secureboot is working fine
for now i switched back to custom kernel it works pretty wall, and thank you for your response |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4169
Location: Bavaria
|
| Posted: Thu Apr 04, 2024 10:13 pm Post subject: |
|
|
| pwnenuser wrote: | | [...] before doing the manual way [...] |
I dont understand what you mean exactly with this ... but ...
... have you copied (and renamed) your "db.pem" to /usr/src/linux/certs/signing_key.pem ?
Another way is to change the path/file here:
| Code: | -*- Cryptographic API --->
Certificates for signature checking --->
(certs/signing_key.pem) File name or PKCS#11 URI of module signing key |
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
Yamakuzure
Advocate
Joined: 21 Jun 2006
Posts: 2284
Location: Adendorf, Germany
|
| Posted: Fri Apr 05, 2024 10:08 am Post subject: |
|
|
| pietinger wrote: | Another way is to change the path/file here:
| Code: | -*- Cryptographic API --->
Certificates for signature checking --->
(certs/signing_key.pem) File name or PKCS#11 URI of module signing key |
|
Please do not forget that you have to combine your key and crt to the pem for the kernel module signng to work.
Example:
| Code: | | cat /etc/efikeys/db.key /etc/efikeys/db.crt > certs/signing_key.pem |
Personally I do not store it in the certs subfolder, but use a fixed path, so I would not have to copy the pem again after each kernel source update.
_________________
Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4169
Location: Bavaria
|
| Posted: Fri Apr 05, 2024 2:17 pm Post subject: |
|
|
| Yamakuzure wrote: | Please do not forget that you have to combine your key and crt to the pem for the kernel module signng to work.
Example:
| Code: | | cat /etc/efikeys/db.key /etc/efikeys/db.crt > certs/signing_key.pem |
|
Yes, I have indeed forgotten it again and thank you very much for reminding me.  We already had a post about it in our forum, but unfortunately I can't find it again. 
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
|
Networking & Security
