Kernel Module Signing

[Xeboc]

For DKMS to automatically sign kernel modules, it looks for:

• CONFIG_MODULE_SIG_HASH in /boot/config-* from: dkms/dkms.in
• sign-file found in /usr/src/linux-headers-*/scripts/sign-file from: dkms/dkms.in

I notice that module signing was previously enabled and has been disabled in recent versions of liquorix newer than 6.6.3-1:

/boot/config-6.5.11-4-liquorix-amd64
951:CONFIG_MODULE_SIG_HASH="sha256"

/boot/config-6.6.1-1-liquorix-amd64
964:CONFIG_MODULE_SIG_HASH="sha256"

/boot/config-6.6.2-1-liquorix-amd64
964:CONFIG_MODULE_SIG_HASH="sha256"

/boot/config-6.6.3-1-liquorix-amd64
964:CONFIG_MODULE_SIG_HASH="sha256"

Out of this list of installed kernels:

vmlinuz-6.6.11-1-liquorix-amd64
vmlinuz-6.6.2-1-liquorix-amd64
vmlinuz-6.6.3-1-liquorix-amd64
vmlinuz-6.6.3-2-liquorix-amd64
vmlinuz-6.6.4-1-liquorix-amd64
vmlinuz-6.6.5-1-liquorix-amd64
vmlinuz-6.6.6-1-liquorix-amd64
vmlinuz-6.6.8-1-liquorix-amd64

I like to sign my kernels and modules and have secure boot and kernel lockdown enabled, which requires the modules be signed.

Would the maintainers consider re-enabling module signing in future builds?

[damentz]

Making the changes as you requested will actually break secure boot for other users (I don't understand how this is the case but it is what it is):

1. https://aur.archlinux.org/packages/linux-lqx?O=10#comment-946307
2. https://aur.archlinux.org/packages/linux-lqx?O=10#comment-946318

Not to mention, I don't see the point of secure boot on Liquorix if I cannot sign my kernel with Microsoft keys. Also, over the last year or two, multiple keys that Microsoft already provisioned have been revoked. I don't have the list in front of me now but multiple laptops of mine no longer support the keys intended for development or small systems through firmware updates.

[Xeboc]

I read those 2 comments and I wasn't able to connect the post back to my request. My apologies, would you be so kind as to explain what you mean a bit further? How does enabling the ability to sign modules break secure boot for other users?

I am already using secure boot with this Liquorix kernel. I create my own MOK keys, import them into firmware, and sign the kernel with them. The only piece that is lacking is ability to sign the modules.

If I use the 6.6.11-amd64 kernel, it has DKIM signing using the locally generated MOK keys (or my own), so I don't understand why it is disabled in Liquorix.

[damentz]

Let me hoist the comments I linked as they have the answer you're looking for:

vlad1.96 commented on 2023-12-03 12:55 (CST) (edited on 2023-12-03 13:20 (CST) by vlad1.96)

I have something strange with signing modules for secure boot with this core in the last month. Nvidia drivers are not loading with the error: Failed to insert module 'nvidia_uvm': Key was rejected by service. I tried 2 packages: nvidia-dkms and nvidia-beta-dkms, I tried to compile the kernel from here and from the repository. The linux and linux-lts kernels installed nearby working (they also generate kernel modules via DKMS), but linux-lqx does not. Has anything changed in the kernel that affects the signing of kernel modules? I'm not sure if the kernel is to blame, but for some reason the problem is with it. I tried to completely reinstall the system and reinstall the kernel and it doesn't help

Followed by my response:

damentz commented on 2023-12-03 14:19 (CST) Edit comment

@vlad1.96, interesting, I thought it's impossible to run secure boot without a stock kernel signed by Microsoft keys. This is new information to me.

Regardless, given you're able to boot in secure boot mode but not load DKMS modules, the reason why the modules can't be loaded is I recently configured Liquorix to use security settings similar to linux-zen and Debian stock.

A new version is on the way (and immediately available through AUR), that reverts those recent changes. Let me know if that helps.

The commits related are here:

• https://github.com/damentz/liquorix-package/commit/31824681e19f92b73a24af90750100725fa75bae
• https://github.com/damentz/liquorix-package/commit/1407c488c4a48c5fdba87fed1c3299352f98f38b

Basically, I have no way of supporting secure boot in a way that makes it work for everyone. I can either make it work for you, but not the user I referenced. Or I can make secure boot work for the user in the AUR comments and not you.

[Xeboc]

Okay, thanks for the info. It sounds like there isn't a current solution. I appreciate the work you've put into this project, thank you for your time and efforts.

[sgtcoder]

So are we not allowing sign-file/signing of modules in liquorix?

sudo: /usr/src/linux-headers-6.7.3-3-liquorix-amd64/scripts/sign-file: command not found

We can secure boot and sign modules with the xanmod kernels.

Plus secure boot increases the security of the computer, so not sure why you would want to disable that. Microsoft complains when you disable Secure Boot as well.