Fedora Silverblue users with SecureBoot enabled and akmod
s such as akmod-nvidia
or akmod-VirtualBox
.
akmods-keys
provides my solution for Issue 499 (Issue 272) on Fedora Silverblue (and its variants, such as Kinoite).
On Fedora Workstation, akmods
signs the kernel modules it creates in its %post
operation.
On Fedora Silverblue, the signing does not work because the keys, which are typically stored in /etc/pki/akmods/{certs,private}
, are not accessible.
akmods-keys
solves this issue with @travier's idea.
Basic idea:
akmods-keys
that provides these keys in /etc/pki/akmods-keys/{certs,private}
.akmods
use them, but with the configuration in /etc/rpm/macros.kmodtool
that points to our keys in akmods-keys
.### Requirements ###
rpm-ostree install --apply-live rpmdevtools akmods
### Install your Machine Owner Key (MOK) ###
sudo kmodgenca
sudo mokutil --import /etc/pki/akmods/certs/public_key.der
## Clone this project
git clone https://github.com/CheariX/silverblue-akmods-keys
cd silverblue-akmods-keys
### Build akmods-keys
sudo bash setup.sh
rpm-ostree install akmods-keys-0.0.2-8.fc$(rpm -E %fedora).noarch.rpm
Note: setup.sh
is very rudimentary. Please check before using.
I tested it with
rpm-ostree install akmod-nvidia akmod-VirtualBox
The modules are automatically signed.
Some notes to myself :)
OSTrees are located in /sysroot/ostree/deploy/fedora/deploy/
.
This fish
command was handy for me to find out whether akmods
signed a module after an rpm-ostree
operation without rebooting the system.
modinfo -F signature /sysroot/ostree/deploy/fedora/deploy/(rpm-ostree status --json | jq -r ".deployments[0].checksum").0/usr/lib/modules/*/extra/nvidia*/nvidia.ko.xz
Change (rpm-ostree...
to $(rpm-ostree
for bash compatiblity.
It works for me. Hopefully also for you. I did not do any deep testing with it.
/etc/pki/akmods-keys
in contrast to /etc/pki/akmods
?To be honest, this was the first solution that worked for me. Maybe they could also be placed in /etc/pki/akmods,
but I thought it would be a good idea to have a unique place that does not lead to conflicts.
I checked the key location in
ls -al /sysroot/ostree/deploy/fedora/deploy/(rpm-ostree status --json | jq ".deployments[0].checksum" | sed 's/"//g').0/etc/pki/akmods-keys/{certs,private}
Permission denied (os error 13)
They seem to be readable by root only.
However, I'd recommend deleting the akmods-keys-0.0.2-8.fc36.noarch.rpm
file.
No. It is still a work-around, although it works pretty well (at least for me).
According to @travier, the ideal solution would be (https://github.com/fedora-silverblue/issue-tracker/issues/272#issuecomment-1160653984):
The only potential fix that I'm aware of would be to store those keys into the kernel keyring and then request them while building the module during the rpm-ostree transaction.
This is something that akmods-keys
cannot accomplish (or at least I don't know how), and Fedora Silverblue would have to adopt.
Any further development/investigation should be moved to the CoreOS issue: https://github.com/coreos/rpm-ostree/issues/3885
akmods
and for showing me how to create RPM spec files and build them.