LKRG with secure boot / signed modules

Support
1

Is anyone using LKRG with the module.sig_enforce set to 1 ?

Can’t quite get it working, even after enrolling the key via mokutil, kernel does not recognize LKRG as the trusted module:

kern  :err   : [  +0.143316] PKCS#7 signature not signed with a trusted key

GitHub: ./Whonix/lkrg/issues/4 (forum software prevents from adding the link, sorry).

2

I don’t think this is an issue specific to the LKRG Debian package.

Issues:

  • How to sign kernel modules on Debian (currently: buster) as a system administrator? I guess you could have the same issue with any kernel module not limited to this.
  • How to use DKMS to sign kernel modules?
  • Modify the Whonix and Kicksecure linux distributions to automatically sign kernel modules using DKMS.

Upgraded your account. You can post links now.

See also, and if anyone wants this fixed, please contribute to this:

enforce kernel module software signature verification [module signing] / disallow kernel module loading by default

3

After some back-n-forth, I have managed to persuade Debian that my signing key is legitimate, but LKRG still fails to finish the initialization.

Created LKRG fails to initialize with a certain combination of boot parameters · Issue #27 · lkrg-org/lkrg · GitHub

2 Likes