From: lw@cn.fujitsu.com (Li Wei)
To: kernelnewbies@lists.kernelnewbies.org
Subject: signing kernel modules on RHEL 7
Date: Thu, 4 Jun 2015 17:15:47 +0800 [thread overview]
Message-ID: <55701743.4090106@cn.fujitsu.com> (raw)
In-Reply-To: <CA+jr3UVGsKa0A=1T63zvsTVUfviWTB2b7FFhbNv4af_qMpiziA@mail.gmail.com>
On 05/28/2015 05:08 PM, Chakradhar thota wrote:
> Thank you Li Wei.
> Is MOK supported in Legacy BIOS? I have tried to import but after
No, MOK is some kind of UEFI things.
MOK is the only way to insert your own public key without recompile kernel.
Thanks.
> reboot couldn't find the key registered
> All articles of Signing kernel modules mention about UEFI enviroment
> for registering MOK.
> Can we register MOK with Legacy BIOS?
>
> On Thu, May 28, 2015 at 1:14 PM, Li Wei <lw@cn.fujitsu.com> wrote:
>> Hi,
>>
>> On 05/20/2015 08:41 PM, Chakradhar thota wrote:
>>> Hello Everyone,
>>>
>>> I have compiled kernel module on RHEL7 but when I insert the module, I
>>> got following warning
>>>
>>> "module verification failed: signature and/or required key missing -
>>> tainting kernel".
>>>
>>> I tried signing the module on custom kernel and find it working.
>>> How can we sign the module for a target system with standard RHEL distribution?
>>> where can we find keys for signing the module on standard kernel?
>>
>> You will never get the signing key from RH, it's RH's private key.
>> You should import your own key into MOK(Machine Owner Key) list and use
>> your own private key to sign module.
>>
>> RH has a document on this:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html
>>
>>>
>>> Regards,
>>> Chakradhar
>>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>
> .
>
prev parent reply other threads:[~2015-06-04 9:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-20 12:41 signing kernel modules on RHEL 7 Chakradhar thota
2015-05-20 13:04 ` Saumendra Dash
2015-05-22 13:12 ` Jerry Snitselaar
2015-05-28 7:44 ` Li Wei
2015-05-28 9:08 ` Chakradhar thota
2015-06-04 9:15 ` Li Wei [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55701743.4090106@cn.fujitsu.com \
--to=lw@cn.fujitsu.com \
--cc=kernelnewbies@lists.kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.