Linux – No OpenSSL sign-file signing_key.pem leads to error while loading kernel modules

kernelkernel-modulelinuxsslUbuntu

I am having problems while loading/installing a kernel module. The kernel module builds successfully, but whenever I try to make module_install, the kernel seems to fail to load. It leaves the below error message :-

At main.c:158:
    - SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
    - SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178 sign-file: certs/signing_key.pem: No such file or directory
    DEPMOD 4.10.0-20-generic

I have read about this problem and realized that the kernel has now started loading only properly signed modules. I find that the kernel source directory /usr/src/<linux version>/certs in my system does not have the signing_key.pem private key file because of which I see this error.

What should I do ? Can I manually generate a signing_key.pem file and use it further ? What would be some good methods to do so ? Will generating a private key/certificate file using openssl.cnf help me in this regard ? Or should I avoid using signed modules at all and try loading the modules as it is without any verification ?

I am using Ubuntu 17.04 with kernel 4.10.0-20-generic.

Best Answer

In your linux kernel root folder that you're compiling go to the certs folder and run:

openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

Where x509.genkey is a file with the contents:

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

Refer to: https://wiki.gentoo.org/wiki/Signed_kernel_module_support

Option 2, is disable automated signing of modules in the config make menuconfig or make xconfig