English Persian
The pending MOK key enrollment request will be noticed by `shim.efi` and it will launch `MokManager.efi` to allow you to complete the enrollment from the UEFI console. You will need to enter the password you previously associated with this request and confirm the enrollment. Your public key is added to the MOK list, which is persistent.
Once a key is on the MOK list, it will be automatically propagated to the system key ring on this and subsequent boots when UEFI Secure Boot is enabled.
Signing Kernel Module with the Private Key
There are no extra steps required to prepare your kernel module for signing. You build your kernel module normally. Assuming an appropriate Makefile and corresponding sources, follow these steps to build your module and sign it:
Build your `my_module.ko` module the standard way:
~]#{nbsp}make -C /usr/src/kernels/$(uname -r) M=$PWD modules
Sign your kernel module with your private key. This is done with a Perl script. Note that the script requires that you provide both the files that contain your private and the public key as well as the kernel module file that you want to sign.
~]#{nbsp}perl /usr/src/kernels/$(uname -r)/scripts/sign-file \
> sha256 \
> my_signing_key.priv \
> my_signing_key_pub.der \
> my_module.ko
Your kernel module is in ELF image format and this script computes and appends the signature directly to the ELF image in your `my_module.ko` file. The [command]#modinfo# utility can be used to display information about the kernel module's signature, if it is present. For information on using the utility, see xref:Working_with_Kernel_Modules.adoc#sec-Displaying_Information_About_a_Module[Displaying Information About a Module].
Note that this appended signature is not contained in an ELF image section and is not a formal part of the ELF image. Therefore, tools such as [command]#readelf# will not be able to display the signature on your kernel module.
Your kernel module is now ready for loading. Note that your signed kernel module is also loadable on systems where UEFI Secure Boot is disabled or on a non-UEFI system. That means you do not need to provide both a signed and unsigned version of your kernel module.
Loading Signed Kernel Module
Once your public key is enrolled and is in the system keyring, the normal kernel module loading mechanisms will work transparently. In the following example, you will use [command]#mokutil# to add your public key to the MOK list and you will manually load your kernel module with [command]#modprobe#.
Optionally, you can verify that your kernel module will not load before you have enrolled your public key. First, verify what keys have been added to the system key ring on the current boot by running the [command]#keyctl list %:.system_keyring# as root. Since your public key has not been enrolled yet, it should not be displayed in the output of the command.
Request enrollment of your public key.
Reboot, and complete the enrollment at the UEFI console.
After the system reboots, verify the keys on the system key ring again.
~]#{nbsp}keyctl list %:.system_keyring
You should now be able to load your kernel module successfully.