Issue:
I'm trying to use signed kernel modules, but getting a failure for the insmod command:
PKCS#7 signature not signed with a trusted key
There is a potentially related error message during Linux boot:
[ 3.342888] Loading compiled-in X.509 certificates[ 3.391774] Problem loading in-kernel X.509 certificate (-129)The command cat /proc/keys shows .builtin_trusted_keys: empty
Setup:
The 4.9.x kernel was compiled with the following defconfig options:
...CONFIG_MODULES=yCONFIG_MODULE_UNLOAD=yCONFIG_MODVERSIONS=yCONFIG_MODULE_SRCVERSION_ALL=yCONFIG_MODULE_SIG=yCONFIG_MODULE_SIG_ALL=yCONFIG_MODULE_SIG_FORCE=yCONFIG_MODULE_SIG_SHA256=yCONFIG_MODULE_SIG_HASH="sha256"CONFIG_SYSTEM_TRUSTED_KEYRING=yCONFIG_KEYS_DEBUG_PROC_KEYS=yCONFIG_PERSISTENT_KEYRINGS=yCONFIG_ENCRYPTED_KEYS=yCONFIG_SECURITY_DMESG_RESTRICT=yCONFIG_SECURITY=yCONFIG_SECURITYFS=yCONFIG_SECURITY_PATH=yCONFIG_HARDENED_USERCOPY=yCONFIG_SECURITY_SMACK=yCONFIG_SECURITY_SMACK_BRINGUP=yCONFIG_DEFAULT_SECURITY_DAC=y...Modules were signed with a command:sign-file sha256 certs/signing_key.pem certs/signing_key.x509 <.ko>
Comments:
I assume I need to fix the in-kernel X.509 certificate loading error, but I haven't come across how to do that. I thought the file certs/signing_key.pem generated during kernel compilation would be wrapped into the kernel but it appears not based on /proc/keys. I don't want to disable signing or allow unsigned modules, I just want to sign them properly with a trusted key. If anyone has advice, that would be much appreciated.
The posts I've found regarding nvidia drivers and Ubuntu/Fedora haven't yielded any progress yet. Example:PKCS#7 signature not signed with a trusted key