No OpenSSL sign-file signing_key.pem leads to error while loading kernel modules
I am having problems while loading/installing a kernel module. The kernel module builds successfully, but whenever I try to make module_install, the kernel seems to fail to load. It leaves the below error message :-
At main.c:158:
- SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178 sign-file: certs/signing_key.pem: No such file or directory
DEPMOD 4.10.0-20-generic
I have read about this problem and realized that the kernel has now started loading only properly signed modules. I find that the kernel source directory /usr/src/<linux version>/certs
in my system does not have the signing_key.pem
private key file because of which I see this error.
What should I do ? Can I manually generate a signing_key.pem
file and use it further ? What would be some good methods to do so ? Will generating a private key/certificate file using openssl.cnf
help me in this regard ? Or should I avoid using signed modules at all and try loading the modules as it is without any verification ?
I am using Ubuntu 17.04 with kernel 4.10.0-20-generic.
In your linux kernel root folder that you're compiling go to the certs folder and run:
openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem
Where x509.genkey is a file with the contents:
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
Refer to: https://wiki.gentoo.org/wiki/Signed_kernel_module_support
Option 2, is disable automated signing of modules in the config make menuconfig
or make xconfig