解决insmod error required key not available

由于目前bios支持efi,如果支持UEFI Secure Boot启动,那么内核所有模块都必须使用UEFI Secure key 签名.

查看当前系统key:

#keyctl list %:.system_keyring

如果系统没有开启UEFI Secure Boot,会类似如下输出:

3 keys in keyring:
...asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87...
...asymmetric: Red Hat Enterprise Linux kernel signing key: 4249689eefc77e95880b...
...asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b7...
否则,类似输出:

6 keys in keyring:
...asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87...
...asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29...
...asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed...
...asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e...
...asymmetric: Red Hat Enterprise Linux kernel signing key: 4249689eefc77e95880b...
...asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b7...
你也可以查看内核与UEFI Secure Boot(如 UEFI Secure Boot db, embedded shim, 以及 MOK list)相关的验证秘钥:

dmesg | grep 'EFI: Loaded cert'
[5.160660] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a9290239...
[5.160674] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309b...
[5.165794] EFI: Loaded cert 'Red Hat Secure Boot (CA key 1): 4016841644ce3a8...
当然,如果你的bios支持关闭 UEFI Secure Boot,你可以在bios的boot项中关闭UEFI Secure Boot.

否则只能为自己制作一个.

相关工具情况:

命令 软件包 适用 功能
openssl openssl Build system 生成X509公私秘钥对
sign-file kernel-devel Build system 对内核模块使用X509公私秘钥对签名
perl perl Build system 签名脚本
mokutil mokutil Target system 手动注册公钥到系统
keyctl keyutils Target system 手动取消注册公钥到系统
生成x509公私秘钥实例脚本:

1. 生成配置文件:

cat << EOF > configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = Organization
CN = Organization signing key
emailAddress = E-mail address

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
2. 生成秘钥(一般把公私钥放在/usr/src/kernels/`uname -r`文件夹):

]# openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config configuration_file.config -outform DER -out public_key.der -keyout private_key.priv
3. 在目标系统注册方法:

1. 把生成的UEFI Secure Boot key数据植入到出厂镜像文件即bios中(基本不可能)

2. 把生成的UEFI Secure Boot key数据植入到efi镜像文件(不知道弄,如果哪位大侠知道,求告知)

3. 把公钥添加到 MOK lis,执行以下步骤:

mokutil --import public_key.der
然后重启电脑,重启后会有一个验证密码的过程.


使用私钥注册模块:

直接编译

make -C /usr/src/kernels/$(uname -r) M=$PWD modules
或者,编译好后加入到模块

cd /usr/src/kernels/`uname -r` && perl ./scripts/sign-file sha256 private_key.priv public_key.der $(mod_dir)/mod.ko


你可能感兴趣的:(Linux)