Tag Archives: UEFI

Self-Signing Modules on Fedora 20

I recently got a new computer for work. So new that the wireless drivers are not yet included in the kernel mainline, though they do exist in the staging tree in the main branch. It’s relatively easy to compile the module following the directions post on this blog post:
http://www.linlap.com/asus_transformer_book_trio_tx201la

Updated kernel source for 3.15:
https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next.git/+archive/v3.15/drivers/staging/rtl8821ae.tar.gz

Makefile append:

KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) CONFIG_R8821AE=m modules

Basically you download that tarball, append to the Makefile, and run make. Simple.

The problem I ran into is that UEFI SecureBoot is set up, meaning that all code inserted in the kernel needs to be signed and recognized by the bios. It’s really not obvious how to do this, I guess because people are not really encouraged to build custom modules and kernels. I did eventually find a post from the SystemTap guy on how to do it:
http://sourceware.org/systemtap/wiki/SecureBoot

x509.genkey openssl config file

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

Creating the x509 certs, and adding them to MoK (machine-owner keys):

openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.priv
sudo mokutil --import signing_key.x509
reboot

Sign modules and install:

/usr/src/kernels/`uname -r`/scripts/sign-file sha512 signing_key.priv signing_key.x509 rtl8821ae.ko
sudo cp rtl8821ae.ko /lib/modules/3.16.0-1.fc22.x86_64/kernel/drivers/staging/rtl8821ae/

It kernel panic’d the first time (oops). The second time it ran ok.