模块已签名但仍提示“insmod:错误:无法插入模块 ptusys.ko:密钥被服务拒绝”

模块已签名但仍提示“insmod:错误:无法插入模块 ptusys.ko:密钥被服务拒绝”

我的测试环境:

--操作系统:RHEL 9.2

我对我构建的内核 6.2.0 进行了签名,它可以通过启用安全启动来启动。

然后我尝试签署一个安全启动模块,它应用失败。

[root@localhost ptusys]# insmod ptusys.ko
insmod: ERROR: could not insert module ptusys.ko: Key was rejected by service
This my MOK list.

[root@localhost ptusys]# mokutil -l
[key 1]
SHA1 Fingerprint: e6:f5:06:46:20:69:aa:17:d2:e8:61:05:03:63:5c:20:f3:a9:95:c3
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            83:73:0d:2b:72:80:d1:5a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Red Hat, Inc., CN=Red Hat Secure Boot CA 5/[email protected]
        Validity
            Not Before: Jun  9 08:15:36 2020 GMT
            Not After : Jan 18 08:15:36 2038 GMT
        Subject: O=Red Hat, Inc., CN=Red Hat Secure Boot CA 5/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:ba:ea:41:17:1c:81:a1:88:09:bf:a1:d4:a9:
                    fa:53:2e:9d:9e:bc:fc:3b:28:9c:30:52:a0:0b:f4:
                    00:0f:36:c8:83:41:f6:a9:c9:15:49:65:64:d5:b2:
                    76:9e:58:c1:2e:1e:ea:cf:93:38:6b:47:d6:ba:92:
                    c5:f8:00:e7:77:a5:57:69:df:41:b1:c4:90:5b:2d:
                    20:c1:74:aa:03:86:80:b6:a4:59:ef:a9:88:44:5e:
                    52:40:d4:77:15:a1:04:85:9c:ef:f3:c6:9f:f3:0f:
                    0f:d6:84:46:e4:66:dc:26:6a:d6:d8:8a:6e:47:4a:
                    ca:e3:4c:43:15:74:99:7a:06:32:8c:e0:33:bf:e5:
                    f8:46:67:3d:ea:0e:94:3b:bf:3d:dd:8b:f6:7f:30:
                    8c:45:54:0b:a4:de:23:35:5a:99:73:05:d8:80:e7:
                    65:14:1a:07:30:2c:73:86:b0:2d:a3:a6:36:a6:4d:
                    81:5d:91:a7:67:bb:ea:3b:5b:82:8a:9c:cf:83:da:
                    31:d1:54:34:16:bc:19:07:17:2a:94:4e:f0:ce:cf:
                    0d:ba:f4:fb:e4:d4:48:89:23:8b:8c:dc:8e:45:13:
                    d7:7a:a8:d5:e5:84:03:13:52:02:06:c2:d5:90:76:
                    3a:b5:d7:b8:9d:7a:b0:c9:d0:98:69:fb:8e:0d:01:
                    f5:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                CC:6F:A5:E7:28:68:BA:49:4E:93:9B:BD:68:0B:91:44:76:9A:9F:8F
            X509v3 Authority Key Identifier:
                CC:6F:A5:E7:28:68:BA:49:4E:93:9B:BD:68:0B:91:44:76:9A:9F:8F
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        1d:e7:5e:42:6a:66:cc:72:3e:9b:5c:c9:af:a3:ca:54:2e:ed:
        64:ab:c0:b9:17:be:27:a9:1e:58:b1:59:3c:4d:11:74:d1:97:
        1a:52:05:84:05:8a:d9:f0:85:c8:f5:ec:8f:9c:e9:e7:08:6d:
        bb:3a:cb:fa:6f:3c:33:e6:78:4d:75:bd:df:c0:95:72:9f:03:
        50:d2:75:2a:7c:b4:81:e0:87:62:94:5c:ef:cf:6b:da:3a:e3:
        bf:6e:18:74:34:55:50:0c:22:51:8e:aa:58:30:be:bd:3e:30:
        4d:b6:97:b5:13:1b:6d:af:6c:18:3b:71:4a:09:a1:89:17:a7:
        e7:18:f5:6d:51:b1:d3:10:c8:0e:d6:e4:32:19:02:4b:1a:b2:
        d2:dc:29:a3:26:95:1d:01:06:e4:52:69:78:06:d3:30:44:44:
        b0:75:77:cc:54:ad:e4:6e:22:22:ff:5d:ff:93:06:0c:f9:98:
        3a:9c:39:b7:0c:81:d0:f3:f8:07:a7:09:8b:6f:9c:8a:e1:ad:
        fc:41:98:50:a6:5f:0b:ba:a5:7f:1c:fc:83:8d:06:59:2e:9e:
        6e:bf:f4:3e:c3:1a:74:66:25:94:8a:5d:bf:21:b6:13:9b:9f:
        67:f8:7e:dc:42:1f:4c:0e:dd:88:73:7d:8c:95:d0:3f:77:c1:
        90:b8:64:f1

[key 2]
SHA1 Fingerprint: 38:b4:81:6f:ad:27:5b:94:26:0b:a0:27:10:57:ee:ae:dc:1a:dc:f2
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            37:66:94:fb:99:de:41:07:9a:8e:9f:97:40:39:46:e4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Organization signing key
        Validity
            Not Before: Nov 29 07:56:03 2023 GMT
            Not After : Jan 19 03:14:07 2037 GMT
        Subject: CN=Organization signing key
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d2:33:87:d6:e6:da:85:3e:8c:c1:1f:76:ef:9b:
                    56:8c:07:25:c7:86:29:c2:de:e1:b6:15:ac:5f:3b:
                    5f:66:f1:f2:60:c5:3a:27:eb:68:f9:3b:e2:6a:38:
                    60:c4:9c:fd:95:7b:88:01:b1:be:62:01:c8:1b:f6:
                    ff:cc:8d:0d:49:ce:59:6c:ec:bb:0f:16:5f:f0:06:
                    f3:9a:6a:58:24:64:79:4d:f9:8e:e6:29:5b:f7:0f:
                    af:f5:69:75:cd:e4:8c:69:0e:fe:20:16:11:db:67:
                    b6:d8:ef:fa:f3:5a:13:da:f9:39:ee:7b:ea:6e:b8:
                    20:58:19:22:c9:26:58:ea:37:bd:49:3b:60:05:6d:
                    df:bd:21:54:43:8f:8a:6c:68:e4:b9:4e:47:e7:00:
                    8b:c7:96:5e:6a:c6:65:c7:40:a5:55:38:b6:e8:7d:
                    d8:cd:31:95:58:8b:d0:7f:c1:d7:ef:bc:7b:0a:d8:
                    53:5d:0c:a5:81:fa:3c:ac:f8:d8:5c:0c:61:bf:1d:
                    1a:f1:37:9b:da:d2:e4:76:af:88:b2:ac:64:73:1f:
                    b6:8b:8a:39:5f:2a:3c:29:87:52:93:49:c8:66:e5:
                    a3:51:68:24:f5:51:91:e9:69:0d:7e:ec:7d:37:d1:
                    d7:95:7a:f6:2c:91:d0:8b:db:26:5d:f7:6d:b0:4d:
                    8c:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                89:C5:18:29:EA:C1:DF:26:D2:46:5A:87:FF:CB:88:C8:10:5E:56:F3
            X509v3 Extended Key Usage:
                Code Signing, 1.3.6.1.4.1.2312.16.1.2
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                89:C5:18:29:EA:C1:DF:26:D2:46:5A:87:FF:CB:88:C8:10:5E:56:F3
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        7d:d9:5f:96:0e:39:e4:eb:6d:54:23:f9:9d:5b:4f:e1:b2:f9:
        cd:6f:eb:01:73:dd:9f:17:70:3e:f7:c5:d9:09:f0:0b:da:db:
        05:24:35:73:a0:e4:3f:c7:91:e3:dc:4c:98:66:5a:f3:63:1c:
        22:e9:cb:15:cb:a4:e0:4e:a7:09:b3:eb:88:3a:83:17:0d:8f:
        a5:1d:40:2a:e5:ae:d6:69:59:52:97:2c:8c:be:9a:52:c2:63:
        84:25:fe:04:db:9a:66:f8:15:f7:24:07:f9:0e:b5:65:44:b5:
        c1:5b:54:8b:1f:ee:0e:44:e2:e8:7e:e4:14:5d:6c:83:68:9e:
        91:ca:d7:3f:9c:b7:5d:8a:80:3a:ed:6d:b1:81:72:4f:66:46:
        ad:96:17:ea:90:68:cf:1f:c8:68:c8:82:a3:20:02:bc:82:cd:
        4b:e0:f9:8e:0f:5c:10:ba:e0:ed:ea:5e:a7:96:56:e1:9e:d5:
        03:b2:c3:fe:04:1b:68:3e:53:96:28:51:c1:2b:5a:fd:e1:4c:
        78:62:58:4d:fe:80:c7:cb:79:2c:7d:62:88:dd:2c:c3:ae:a9:
        62:cf:2e:a4:54:20:f9:f8:57:d0:80:9a:41:2e:a4:aa:40:c9:
        87:46:d5:8f:8e:4e:0a:ae:14:c5:fc:72:a1:95:90:f3:51:29:
        61:49:18:14

这是modinfo。

[root@localhost ptusys]# modinfo ptusys.ko
filename:       /root/ptat/driver/ptusys/ptusys.ko
license:        GPL
srcversion:     A5DEACA36DD92704EA927C0
depends:
retpoline:      Y
name:           ptusys
vermagic:       6.2.0 SMP preempt mod_unload modversions
sig_id:         PKCS#7
signer:         Organization signing key
sig_key:        37:66:94:FB:99:DE:41:07:9A:8E:9F:97:40:39:46:E4
sig_hashalgo:   sha256
signature:      4A:99:67:F1:37:FE:FA:CF:9E:27:3A:58:2C:28:09:95:4A:6E:FB:FF:
                17:1B:1B:1C:4F:E6:F5:9F:5E:23:9B:35:87:02:6B:7D:B7:8F:A9:8B:
                DF:83:A9:5C:77:89:28:F4:C9:DD:4B:EB:7B:D3:E9:A4:4E:C6:65:3C:
                02:BC:36:29:89:C2:66:21:C3:64:44:BE:D1:04:66:75:D7:13:55:46:
                CC:37:BE:F6:33:87:13:E7:BA:2E:0F:35:FB:9A:9D:22:F6:A8:7C:39:
                A6:F6:F8:DC:9B:AB:48:F8:6E:1B:AF:66:56:D0:2D:FC:F3:30:44:F5:
                3C:1C:A0:0A:06:7E:6B:89:B3:28:0B:16:EC:E2:F9:EF:4C:7F:32:C3:
                97:A1:8D:17:8D:74:AD:85:E5:09:58:3A:87:A8:48:52:58:1A:1E:A8:
                BC:EC:A7:8F:10:55:6D:B0:0E:0D:19:BD:B4:1C:B5:67:89:88:62:63:
                80:3B:08:FF:8C:83:7F:78:A3:3C:A4:79:C2:C6:7B:05:DC:0F:91:CA:
                92:D3:DA:D1:16:00:55:8F:C8:BD:63:0F:15:F2:64:14:3B:B0:6E:CF:
                62:5B:C0:35:B6:CC:AC:32:6E:2A:D9:20:52:67:F8:DD:F6:F7:AC:B9:
                9B:E0:BC:69:9D:65:D6:EC:47:EA:8B:77:39:EF:1D:AC

dmesg 输出的尾部:

[  139.868846] Loading of module with unavailable key is rejected

相关内容