Linux 中分发的自动模块签名

我是编写 Linux 模块（驱动程序）和数字签名的新手，所以如果我的理解有误，请纠正我。

当我make modules_install在模块上运行时，出现以下错误（veikk 是模块名称）：

At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directory

我正在查找有关签名模块的教程，但我对如何分发签名模块感到非常困惑。有手动签名模块的教程（例如，这,这,这），但这些似乎都是安装后的，并且涉及到生成密钥并向内核注册密钥。似乎内核希望在安装时自动签署模块certs/signing_key.pem（因此出现错误）。

使用提供的建议这个 Unix Stack Exchange 问题，我能够摆脱这个错误。这会生成该x509.genkey文件，然后在内核目录中的目录中创建signing_key.pem和文件。signing_key.x509certs

printf "[ req ]\ndefault_bits = 4096\ndistinguished_name = req_distinguished_name\nprompt = no\nstring_mask = utf8only\nx509_extensions = myexts\n\n[ req_distinguished_name ]\nCN = Modules\n\n[ myexts ]\nbasicConstraints=critical,CA:FALSE\nkeyUsage=digitalSignature\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid" > x509.genkey
openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out $(BUILD_DIR)/certs/signing_key.x509 -keyout $(BUILD_DIR)/certs/signing_key.pem

运行此命令后make modules_install，该模块似乎已正确安装。的输出modinfo veikk似乎显示了有效的签名：

filename:       /lib/modules/5.1.5-arch1-2-ARCH/extra/veikk.ko.xz
license:        GPL
srcversion:     A82263B16A25C763382D8B9
alias:          hid:b0003g*v00002FEBp00000003
alias:          hid:b0003g*v00002FEBp00000002
alias:          hid:b0003g*v00002FEBp00000001
depends:        hid
retpoline:      Y
name:           veikk
vermagic:       5.1.5-arch1-2-ARCH SMP preempt mod_unload
sig_id:         PKCS#7
signer:         Modules
sig_key:        27:E8:FC:4A:4E:15:0C:AF:40:D5:A1:A4:10:E5:B5:55:BF:AF:EB:66
sig_hashalgo:   sha512
signature:      AC:AF:49:16:D4:AD:D9:7B:C5:52:A5:9F:F8:46:1C:DF:93:71:05:00:
4D:BF:96:96:3C:D1:11:19:6F:AC:D5:27:7D:E3:EE:8D:6C:BB:17:F4:
53:D3:FD:EE:85:22:97:57:BB:27:23:9C:8A:04:79:75:99:C4:A0:E6:
29:AF:20:15:87:EA:41:D2:26:00:2B:A1:39:68:28:FE:05:F5:F1:B1:
42:F8:FF:66:C0:6C:B5:17:A1:E7:F4:65:0A:17:64:99:9E:11:86:C0:
94:E7:D5:83:59:50:BE:0D:33:B8:A2:64:66:4F:70:A3:EB:E4:FB:B4:
52:D9:26:9C:57:CC:0D:D6:53:51:C2:90:D6:51:13:83:B6:22:EC:C9:
DF:15:1D:1E:34:BD:7A:2D:8F:13:2D:78:8C:D3:EA:43:0B:6C:8D:DA:
9A:DA:A1:74:03:FC:D8:72:D0:96:54:52:60:AB:7A:BB:3C:D0:F4:8C:
B7:92:21:B1:D8:02:01:6B:9B:AD:11:1A:90:5B:21:94:12:B7:5A:15:
10:6B:92:FA:74:F5:49:A2:4A:65:FF:4E:B6:9B:08:7B:BD:E5:85:9D:
98:52:A2:E4:D7:B4:0D:90:0D:62:7E:CE:6B:F8:8B:0C:33:76:1E:01:
C7:0D:29:8C:97:BC:E1:35:58:2B:55:3F:6E:D9:36:46:50:76:74:67:
1F:B2:F6:C3:6B:24:4D:C1:7E:8D:14:4D:10:2D:1D:80:3C:82:02:1C:
A6:87:14:8B:A0:3C:21:EA:DD:A7:CD:9C:D0:1B:DF:84:53:BF:0A:B6:
DA:50:C4:AA:FF:90:44:47:4B:9F:8A:1C:C3:14:5D:A3:B5:A4:5F:6F:
E1:E0:E2:51:B1:1E:5C:7E:95:70:72:76:3A:9D:53:10:F5:F0:3F:CD:
E5:2B:EF:E4:3D:DB:64:65:9B:AE:E6:23:6E:4E:F1:4B:94:17:FF:FF:
06:A0:79:84:E1:BE:24:9D:93:B9:D4:94:41:76:92:D5:5B:8F:F6:4F:
98:B9:24:6F:01:CD:4F:49:52:15:48:79:4A:F3:46:CF:8A:AC:21:A9:
64:81:AC:01:15:80:06:F4:C3:9D:8A:C0:48:A6:53:C5:81:C2:DD:B1:
C6:B9:80:B8:A9:C2:89:B8:20:C5:89:81:90:15:86:78:F7:09:3F:FD:
F6:AC:54:57:8C:E0:B4:62:E0:78:CB:59:63:FA:E6:E2:8C:78:59:31:
92:E5:B5:E3:75:FE:F6:8F:82:3B:D6:5B:B1:84:E9:A8:9E:A4:B0:03:
99:8D:41:55:FF:11:A8:B6:A3:B9:EA:1D:5C:58:F7:D2:A6:F4:3A:C9:
B1:E6:83:10:B7:E5:E4:15:28:2C:62:96

我的问题：这是签署驱动程序的推荐（且安全）方式吗？最好，我希望最终用户在安装时不必担心自己签署驱动程序的麻烦。

由于我的理解有点混乱，这里有几个我不明白的问题：

• 这种构建上的自动签名是否与上面安装后手动签名驱动程序的教程一样安全？即，我正在生成一个密钥来对其进行签名，但该密钥永远不会（至少明确地）加载到内核中。
• 驱动程序通常如何分发和签名？我希望拥有 Linux 专有驱动程序的大公司能够以某种方式对其模块进行签名，例如 Nvidia。
• 有没有办法预先签署模块（在我这边）？这似乎不太可能，因为该模块应该针对要使用它的任何系统而构建。

我想保持安全启动打开（禁用它允许加载未签名的模块，但客户更喜欢打开安全启动）。