我的测试环境:
--操作系统:RHEL 9.2
我对我构建的内核 6.2.0 进行了签名,它可以通过启用安全启动来启动。
然后我尝试签署一个安全启动模块,它应用失败。
[root@localhost ptusys]# insmod ptusys.ko
insmod: ERROR: could not insert module ptusys.ko: Key was rejected by service
This my MOK list.
[root@localhost ptusys]# mokutil -l
[key 1]
SHA1 Fingerprint: e6:f5:06:46:20:69:aa:17:d2:e8:61:05:03:63:5c:20:f3:a9:95:c3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:73:0d:2b:72:80:d1:5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Red Hat, Inc., CN=Red Hat Secure Boot CA 5/[email protected]
Validity
Not Before: Jun 9 08:15:36 2020 GMT
Not After : Jan 18 08:15:36 2038 GMT
Subject: O=Red Hat, Inc., CN=Red Hat Secure Boot CA 5/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:ba:ea:41:17:1c:81:a1:88:09:bf:a1:d4:a9:
fa:53:2e:9d:9e:bc:fc:3b:28:9c:30:52:a0:0b:f4:
00:0f:36:c8:83:41:f6:a9:c9:15:49:65:64:d5:b2:
76:9e:58:c1:2e:1e:ea:cf:93:38:6b:47:d6:ba:92:
c5:f8:00:e7:77:a5:57:69:df:41:b1:c4:90:5b:2d:
20:c1:74:aa:03:86:80:b6:a4:59:ef:a9:88:44:5e:
52:40:d4:77:15:a1:04:85:9c:ef:f3:c6:9f:f3:0f:
0f:d6:84:46:e4:66:dc:26:6a:d6:d8:8a:6e:47:4a:
ca:e3:4c:43:15:74:99:7a:06:32:8c:e0:33:bf:e5:
f8:46:67:3d:ea:0e:94:3b:bf:3d:dd:8b:f6:7f:30:
8c:45:54:0b:a4:de:23:35:5a:99:73:05:d8:80:e7:
65:14:1a:07:30:2c:73:86:b0:2d:a3:a6:36:a6:4d:
81:5d:91:a7:67:bb:ea:3b:5b:82:8a:9c:cf:83:da:
31:d1:54:34:16:bc:19:07:17:2a:94:4e:f0:ce:cf:
0d:ba:f4:fb:e4:d4:48:89:23:8b:8c:dc:8e:45:13:
d7:7a:a8:d5:e5:84:03:13:52:02:06:c2:d5:90:76:
3a:b5:d7:b8:9d:7a:b0:c9:d0:98:69:fb:8e:0d:01:
f5:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CC:6F:A5:E7:28:68:BA:49:4E:93:9B:BD:68:0B:91:44:76:9A:9F:8F
X509v3 Authority Key Identifier:
CC:6F:A5:E7:28:68:BA:49:4E:93:9B:BD:68:0B:91:44:76:9A:9F:8F
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
1d:e7:5e:42:6a:66:cc:72:3e:9b:5c:c9:af:a3:ca:54:2e:ed:
64:ab:c0:b9:17:be:27:a9:1e:58:b1:59:3c:4d:11:74:d1:97:
1a:52:05:84:05:8a:d9:f0:85:c8:f5:ec:8f:9c:e9:e7:08:6d:
bb:3a:cb:fa:6f:3c:33:e6:78:4d:75:bd:df:c0:95:72:9f:03:
50:d2:75:2a:7c:b4:81:e0:87:62:94:5c:ef:cf:6b:da:3a:e3:
bf:6e:18:74:34:55:50:0c:22:51:8e:aa:58:30:be:bd:3e:30:
4d:b6:97:b5:13:1b:6d:af:6c:18:3b:71:4a:09:a1:89:17:a7:
e7:18:f5:6d:51:b1:d3:10:c8:0e:d6:e4:32:19:02:4b:1a:b2:
d2:dc:29:a3:26:95:1d:01:06:e4:52:69:78:06:d3:30:44:44:
b0:75:77:cc:54:ad:e4:6e:22:22:ff:5d:ff:93:06:0c:f9:98:
3a:9c:39:b7:0c:81:d0:f3:f8:07:a7:09:8b:6f:9c:8a:e1:ad:
fc:41:98:50:a6:5f:0b:ba:a5:7f:1c:fc:83:8d:06:59:2e:9e:
6e:bf:f4:3e:c3:1a:74:66:25:94:8a:5d:bf:21:b6:13:9b:9f:
67:f8:7e:dc:42:1f:4c:0e:dd:88:73:7d:8c:95:d0:3f:77:c1:
90:b8:64:f1
[key 2]
SHA1 Fingerprint: 38:b4:81:6f:ad:27:5b:94:26:0b:a0:27:10:57:ee:ae:dc:1a:dc:f2
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
37:66:94:fb:99:de:41:07:9a:8e:9f:97:40:39:46:e4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Organization signing key
Validity
Not Before: Nov 29 07:56:03 2023 GMT
Not After : Jan 19 03:14:07 2037 GMT
Subject: CN=Organization signing key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d2:33:87:d6:e6:da:85:3e:8c:c1:1f:76:ef:9b:
56:8c:07:25:c7:86:29:c2:de:e1:b6:15:ac:5f:3b:
5f:66:f1:f2:60:c5:3a:27:eb:68:f9:3b:e2:6a:38:
60:c4:9c:fd:95:7b:88:01:b1:be:62:01:c8:1b:f6:
ff:cc:8d:0d:49:ce:59:6c:ec:bb:0f:16:5f:f0:06:
f3:9a:6a:58:24:64:79:4d:f9:8e:e6:29:5b:f7:0f:
af:f5:69:75:cd:e4:8c:69:0e:fe:20:16:11:db:67:
b6:d8:ef:fa:f3:5a:13:da:f9:39:ee:7b:ea:6e:b8:
20:58:19:22:c9:26:58:ea:37:bd:49:3b:60:05:6d:
df:bd:21:54:43:8f:8a:6c:68:e4:b9:4e:47:e7:00:
8b:c7:96:5e:6a:c6:65:c7:40:a5:55:38:b6:e8:7d:
d8:cd:31:95:58:8b:d0:7f:c1:d7:ef:bc:7b:0a:d8:
53:5d:0c:a5:81:fa:3c:ac:f8:d8:5c:0c:61:bf:1d:
1a:f1:37:9b:da:d2:e4:76:af:88:b2:ac:64:73:1f:
b6:8b:8a:39:5f:2a:3c:29:87:52:93:49:c8:66:e5:
a3:51:68:24:f5:51:91:e9:69:0d:7e:ec:7d:37:d1:
d7:95:7a:f6:2c:91:d0:8b:db:26:5d:f7:6d:b0:4d:
8c:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
89:C5:18:29:EA:C1:DF:26:D2:46:5A:87:FF:CB:88:C8:10:5E:56:F3
X509v3 Extended Key Usage:
Code Signing, 1.3.6.1.4.1.2312.16.1.2
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
89:C5:18:29:EA:C1:DF:26:D2:46:5A:87:FF:CB:88:C8:10:5E:56:F3
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
7d:d9:5f:96:0e:39:e4:eb:6d:54:23:f9:9d:5b:4f:e1:b2:f9:
cd:6f:eb:01:73:dd:9f:17:70:3e:f7:c5:d9:09:f0:0b:da:db:
05:24:35:73:a0:e4:3f:c7:91:e3:dc:4c:98:66:5a:f3:63:1c:
22:e9:cb:15:cb:a4:e0:4e:a7:09:b3:eb:88:3a:83:17:0d:8f:
a5:1d:40:2a:e5:ae:d6:69:59:52:97:2c:8c:be:9a:52:c2:63:
84:25:fe:04:db:9a:66:f8:15:f7:24:07:f9:0e:b5:65:44:b5:
c1:5b:54:8b:1f:ee:0e:44:e2:e8:7e:e4:14:5d:6c:83:68:9e:
91:ca:d7:3f:9c:b7:5d:8a:80:3a:ed:6d:b1:81:72:4f:66:46:
ad:96:17:ea:90:68:cf:1f:c8:68:c8:82:a3:20:02:bc:82:cd:
4b:e0:f9:8e:0f:5c:10:ba:e0:ed:ea:5e:a7:96:56:e1:9e:d5:
03:b2:c3:fe:04:1b:68:3e:53:96:28:51:c1:2b:5a:fd:e1:4c:
78:62:58:4d:fe:80:c7:cb:79:2c:7d:62:88:dd:2c:c3:ae:a9:
62:cf:2e:a4:54:20:f9:f8:57:d0:80:9a:41:2e:a4:aa:40:c9:
87:46:d5:8f:8e:4e:0a:ae:14:c5:fc:72:a1:95:90:f3:51:29:
61:49:18:14
这是modinfo。
[root@localhost ptusys]# modinfo ptusys.ko
filename: /root/ptat/driver/ptusys/ptusys.ko
license: GPL
srcversion: A5DEACA36DD92704EA927C0
depends:
retpoline: Y
name: ptusys
vermagic: 6.2.0 SMP preempt mod_unload modversions
sig_id: PKCS#7
signer: Organization signing key
sig_key: 37:66:94:FB:99:DE:41:07:9A:8E:9F:97:40:39:46:E4
sig_hashalgo: sha256
signature: 4A:99:67:F1:37:FE:FA:CF:9E:27:3A:58:2C:28:09:95:4A:6E:FB:FF:
17:1B:1B:1C:4F:E6:F5:9F:5E:23:9B:35:87:02:6B:7D:B7:8F:A9:8B:
DF:83:A9:5C:77:89:28:F4:C9:DD:4B:EB:7B:D3:E9:A4:4E:C6:65:3C:
02:BC:36:29:89:C2:66:21:C3:64:44:BE:D1:04:66:75:D7:13:55:46:
CC:37:BE:F6:33:87:13:E7:BA:2E:0F:35:FB:9A:9D:22:F6:A8:7C:39:
A6:F6:F8:DC:9B:AB:48:F8:6E:1B:AF:66:56:D0:2D:FC:F3:30:44:F5:
3C:1C:A0:0A:06:7E:6B:89:B3:28:0B:16:EC:E2:F9:EF:4C:7F:32:C3:
97:A1:8D:17:8D:74:AD:85:E5:09:58:3A:87:A8:48:52:58:1A:1E:A8:
BC:EC:A7:8F:10:55:6D:B0:0E:0D:19:BD:B4:1C:B5:67:89:88:62:63:
80:3B:08:FF:8C:83:7F:78:A3:3C:A4:79:C2:C6:7B:05:DC:0F:91:CA:
92:D3:DA:D1:16:00:55:8F:C8:BD:63:0F:15:F2:64:14:3B:B0:6E:CF:
62:5B:C0:35:B6:CC:AC:32:6E:2A:D9:20:52:67:F8:DD:F6:F7:AC:B9:
9B:E0:BC:69:9D:65:D6:EC:47:EA:8B:77:39:EF:1D:AC
dmesg 输出的尾部:
[ 139.868846] Loading of module with unavailable key is rejected