Automatic signing of DKMS kernel modules has been implemented by Debian by default in Debian bookworm.
sudo modinfo /lib/modules/6.1.0-13-amd64/updates/dkms/tirdad.ko | grep sign
signer: DKMS module signing key
Automatic signing of DKMS kernel modules has been implemented by Debian by default in Debian bookworm.
sudo modinfo /lib/modules/6.1.0-13-amd64/updates/dkms/tirdad.ko | grep sign
signer: DKMS module signing key
Therefore re-enabled only allowing loading signed modules:
Allow only loading signed modules has to be reverted yet again.
Yes, kernel modules are signed by DKMS nowadays with the DKMS key. But that is only “half” of the solution. On
moktuil
to import the key.Hence, the kernel does not know that key and refuses it. In result, kloak
fails to load.
There are no other places to enroll the key. Reference:
See:
Table 3.3. Sources for system keyrings
Kernel recompilation would be possible to that’s quite an involved process:
Can /var/lib/dkms/mok.pub
be enrolled using keyctl
?
keyctl
:
sudo apt install keyutils
Debian Linux kernel bug report:
key enrollment on non-EFI systems for module.sig_enforce=1
kernel parameter