Kernel Module Signing for secure boot

ktalinki · 12-08-2016, 09:17 PM

hi,
Our product has kernel modules and when secure boot is enabled kernel is not loading our modules.
So we would like to sign our modules with a private key and install/add the public key on the target machine.
If the secureboot is enabled with UEFI Secureboot then we can add the public key to MOK, but if the secureboot is enabled with kernel parameter 'module.sig_enforce', I dont see a way to add add our public key to the kernel system keyring.

What are the ways to get around this?
Is there a way we can add a public key to system keyring with out building the kernel?
Microsoft signs drivers for the product developers, Is there something like that for Linux?

thanks for the help in advance,
--Kumar

Ztcoracat · 12-08-2016, 10:07 PM

Quote:

Is there a way we can add a public key to system keyring with out building the kernel?

I could be wrong but I (think) that the public key gets built into the kernel so it may not be possible w/o doing a build.

syg00 · 12-09-2016, 02:22 AM

Ask on lkml