{"id":10983,"date":"2024-05-22T23:23:41","date_gmt":"2024-05-23T04:23:41","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=10983"},"modified":"2024-05-24T23:49:39","modified_gmt":"2024-05-25T04:49:39","slug":"signing-kernel-modules","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=10983","title":{"rendered":"Signing Kernel Modules"},"content":{"rendered":"\n<p>The new servers being built at work use SecureBoot &#8212; something that you don&#8217;t even notice 99% of the time. But that 1% where you are doing something &#8220;strange&#8221; like trying to use OpenZFS &#8230; well, you&#8217;ve got to sign any kernel modules that you need to use. Just installing them doesn&#8217;t work &#8212; they won&#8217;t load. <\/p>\n\n\n\n<p>To sign a kernel module, first you need to create a signing key and use mokutil to import it into the machine owner key store. <\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\ncd \/root\nmkdir signing\ncd signing\nopenssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj &quot;\/CN=Windstream\/&quot;\n\nmokutil --import MOK.der\n<\/pre><\/div>\n\n\n<p>When you run mokutil, you will set a password. This password will be needed to complete importing the key to the machine.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok0.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"106\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok0-1024x106.png\" alt=\"\" class=\"wp-image-10984\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok0-1024x106.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok0-300x31.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok0-768x79.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok0-750x77.png 750w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok0.png 1474w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Get access to the console &#8212; out of band management, vSphere manager, stand in front of the server. Reboot, and there will be a &#8220;press any key&#8221; screen for ten seconds that begins the import process. Press any key!<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"890\" height=\"585\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok1.png\" alt=\"\" class=\"wp-image-10985\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok1.png 890w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok1-300x197.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok1-768x505.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok1-750x493.png 750w\" sizes=\"auto, (max-width: 890px) 100vw, 890px\" \/><\/a><\/figure>\n\n\n\n<p> Select &#8220;Enroll MOK&#8221;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"773\" height=\"519\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok2.png\" alt=\"\" class=\"wp-image-10986\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok2.png 773w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok2-300x201.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok2-768x516.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok2-750x504.png 750w\" sizes=\"auto, (max-width: 773px) 100vw, 773px\" \/><\/a><\/figure>\n\n\n\n<p>View the key and verify it is the right one, then use &#8216;Continue&#8217; to import it<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"817\" height=\"583\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok3.png\" alt=\"\" class=\"wp-image-10987\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok3.png 817w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok3-300x214.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok3-768x548.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok3-750x535.png 750w\" sizes=\"auto, (max-width: 817px) 100vw, 817px\" \/><\/a><\/figure>\n\n\n\n<p>Enter the password used when you ran mokutil<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok4.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok4-1024x683.png\" alt=\"\" class=\"wp-image-10988\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok4-1024x683.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok4-300x200.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok4-768x512.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok4-750x500.png 750w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok4.png 1066w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Then reboot<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"808\" height=\"552\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok5.png\" alt=\"\" class=\"wp-image-10989\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok5.png 808w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok5-300x205.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok5-768x525.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2024\/05\/EnrollMok5-750x512.png 750w\" sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/a><\/figure>\n\n\n\n<p>To verify your key has been successfully enrolled:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\nmokutil --list-enrolled\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"<p>The new servers being built at work use SecureBoot &#8212; something that you don&#8217;t even notice 99% of the time. But that 1% where you are doing something &#8220;strange&#8221; like trying to use OpenZFS &#8230; well, you&#8217;ve got to sign any kernel modules that you need to use. Just installing them doesn&#8217;t work &#8212; they &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[294,2021,2020,1195],"class_list":["post-10983","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-linux","tag-machine-owner-key","tag-mok","tag-redhat"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10983"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10983\/revisions"}],"predecessor-version":[{"id":10999,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10983\/revisions\/10999"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}