Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Loading self-compiled, mok-signed, in-tree kernel module blocked by kernel lockdown

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
mordeaux
Posts: 2
Joined: 2022-05-09 18:32

Loading self-compiled, mok-signed, in-tree kernel module blocked by kernel lockdown

#1 Post by mordeaux »

Hi.

I'm having trouble loading ec_sys kernel module (in-tree, under drivers/acpi) that I myself compiled and signed. I'm running Debian 11 with Secure Boot, kernel 5.10.0-14-amd64.
Disclaimer: Please bear in mind that this the very first time I touched kernel code so I realize the things I'm doing are probably 'hacky' at best and perhaps just plain wrong. Any advice is appreciated.

In short, the problem is that when I run

Code: Select all

sudo modprobe -f ec_sys
I'm getting an error:
modprobe: ERROR: could not insert 'ec_sys': Operation not permitted
dmesg yields the following:
Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
I did some research on kernel lockdown and as far as I know all that would be fine, if that were an unsigned module, but I did actually sign it following Debian's official documentation on Secure Boot:
https://wiki.debian.org/SecureBoot

I figured that I must be doing something terribly wrong regarding the module compilation, because I think the signing process is pretty straightforward and I had no trouble grasping it - which I can't really say about building the module.

Consequently, below are the steps I performed to build the module prior to enrolling MOK and the signing process.

With help from https://kernel-team.pages.debian.net/ke ... tasks.html:

Code: Select all

# Got the source code
apt source linux 
cd linux-5.10.113

# Generate .config
make localmodconfig

# Enable ec_sys in menuconfig (or just set CONFIG_ACPI_EC_DEBUGFS=m in .config)
make menuconfig

# Prepare modules
make modules_prepare

# Build acpi modules as they're the only ones of interest to me
make modules M=drivers/acpi
Building the module ended with the following warnings:
WARNING: Symbol version dump "Module.symvers" is missing. Modules may not have dependencies or modversions.
MODPOST drivers/acpi/Module.symvers
WARNING: modpost: Symbol info of vmlinux is missing. Unresolved symbol check will be entirely skipped.
As a consequence, running modprobe without -f flag causes this error to appear instead of the originally mentioned one:
modprobe: ERROR: could not insert 'ec_sys': Exec format error
If I understand it correctly, getting rid of that error would require compilation of the entire kernel which is something I would like to avoid, thus the (possibly temporary) force solution.

Afterwards I copied to module to /lib/modules/$(uname -r), enrolled new MOK and signed the module.

That would be all. As I said, any advice is appreciated.

Aki
Global Moderator
Global Moderator
Posts: 2823
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 69 times
Been thanked: 385 times

Re: Loading self-compiled, mok-signed, in-tree kernel module blocked by kernel lockdown

#2 Post by Aki »

Hello,
This is an interesting topic. Have you worked it out ?
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

mordeaux
Posts: 2
Joined: 2022-05-09 18:32

Re: Loading self-compiled, mok-signed, in-tree kernel module blocked by kernel lockdown

#3 Post by mordeaux »

Not yet, unfortunately. I decided to put it aside for some time, hoping I'll have more success after a break. If I manage to achieve anything worthwhile, I'll share it here, of course.

Post Reply