解决insmod error required key not available
2015-01-19 18:27
155 查看
由于目前bios支持efi,如果支持UEFI Secure Boot启动,那么内核所有模块都必须使用UEFI Secure key 签名.
查看当前系统key:
#keyctl list %:.system_keyring
如果系统没有开启UEFI Secure Boot,会类似如下输出:
否则,类似输出:
你也可以查看内核与UEFI Secure Boot(如UEFI
Secure Boot db, embedded shim, 以及 MOK list)相关的验证秘钥:
[5.160660] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a9290239...
[5.160674] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309b...
[5.165794] EFI: Loaded cert 'Red Hat Secure Boot (CA key 1): 4016841644ce3a8...[/code]
当然,如果你的bios支持关闭UEFI Secure
Boot,你可以在bios的boot项中关闭UEFI
Secure Boot.
否则只能为自己制作一个.
相关工具情况:
生成x509公私秘钥实例脚本:
1. 生成配置文件:
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = Organization
CN = Organization signing key
emailAddress = E-mail address
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF[/code]
2. 生成秘钥(一般把公私钥放在/usr/src/kernels/`uname -r`文件夹):
3. 在目标系统注册方法:
1. 把生成的UEFI
Secure Boot key数据植入到出厂镜像文件即bios中(基本不可能)
2. 把生成的UEFI
Secure Boot key数据植入到efi镜像文件(不知道弄,如果哪位大侠知道,求告知)
3. 把公钥添加到
MOK lis,执行以下步骤:
然后重启电脑,重启后会有一个验证密码的过程.
使用私钥注册模块:
直接编译
或者,编译好后加入到模块
cd /usr/src/kernels/`uname
-r` && perl ./scripts/sign-file sha256 private_key.priv public_key.der $(mod_dir)/mod.ko
查看当前系统key:
#keyctl list %:.system_keyring
如果系统没有开启UEFI Secure Boot,会类似如下输出:
3 keys in keyring: ...asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87... ...asymmetric: Red Hat Enterprise Linux kernel signing key: 4249689eefc77e95880b... ...asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b7...
否则,类似输出:
6 keys in keyring: ...asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87... ...asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29... ...asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed... ...asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e... ...asymmetric: Red Hat Enterprise Linux kernel signing key: 4249689eefc77e95880b... ...asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b7...
你也可以查看内核与UEFI Secure Boot(如UEFI
Secure Boot db, embedded shim, 以及 MOK list)相关的验证秘钥:
# [code]dmesg | grep 'EFI: Loaded cert'
[5.160660] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a9290239...
[5.160674] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309b...
[5.165794] EFI: Loaded cert 'Red Hat Secure Boot (CA key 1): 4016841644ce3a8...[/code]
当然,如果你的bios支持关闭UEFI Secure
Boot,你可以在bios的boot项中关闭UEFI
Secure Boot.
否则只能为自己制作一个.
相关工具情况:
命令 | 软件包 | 适用 | 功能 |
---|---|---|---|
openssl | openssl | Build system | 生成X509公私秘钥对 |
sign-file | kernel-devel | Build system | 对内核模块使用X509公私秘钥对签名 |
perl | perl | Build system | 签名脚本 |
mokutil | mokutil | Target system | 手动注册公钥到系统 |
keyctl | keyutils | Target system | 手动取消注册公钥到系统 |
1. 生成配置文件:
# [code]cat << EOF > configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = Organization
CN = Organization signing key
emailAddress = E-mail address
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF[/code]
2. 生成秘钥(一般把公私钥放在/usr/src/kernels/`uname -r`文件夹):
]# [code]openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config configuration_file.config -outform DER -out public_key.der -keyout private_key.priv
3. 在目标系统注册方法:
1. 把生成的UEFI
Secure Boot key数据植入到出厂镜像文件即bios中(基本不可能)
2. 把生成的UEFI
Secure Boot key数据植入到efi镜像文件(不知道弄,如果哪位大侠知道,求告知)
3. 把公钥添加到
MOK lis,执行以下步骤:
# [code]mokutil[/code]--import[code]public_key.der
然后重启电脑,重启后会有一个验证密码的过程.
使用私钥注册模块:
直接编译
# [code]make -C /usr/src/kernels/$(uname -r) M=$PWD modules
或者,编译好后加入到模块
cd /usr/src/kernels/`uname
-r` && perl ./scripts/sign-file sha256 private_key.priv public_key.der $(mod_dir)/mod.ko
相关文章推荐
- insmod安装内核module,提示Required key not available
- ubuntu 16.04 virtualbox could not insert 'vboxdrv': Required key not available 问题解决方法
- NVIDIA驱动安装问题解决 nvidia.ko 加载错误 Required key not available
- CentOS 7 使用 Realtek 8188eu 上网 (解决 Required key not available)
- 解决方法:ERROR: ORA-01034:ORACLE not available ORA-27101:shared memory realm does not exit
- error: 'release' is unavailable: not available in automatic reference counting,该怎么解决
- 解决yum错误Error: requested datatype primary not available
- [置顶] Android开发之解决Error:(16) Error: "ssdk_baidutieba_client_inavailable" is not translated in "en" (Englis
- 安装VMware出现Error 1406:could not write value installpath to key的解决办法
- 解决python安装Twisted CompressionError: bz2 module is not available
- android 安装内核module,提示Required key not available
- archive validationg failed with errors error description not available 上传不成功包解决办法 那么问题来了
- kernel-3.8.1 vboxdrv.ko: Required key not available (CentOS 6.3 x86_64 VirtualBox无法启动)
- GPG error: the public key is not available
- Ubuntu 解决 public key is not available 问题
- ERROR: ORA-01034: ORACLE not available ERROR:ORA-01034ORA-27101的解决方法
- 借鉴自“连接orcl时出现ERROR:ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist 的解决”
- (Error) The type AESKeyGenerator is not accessible due to restriction on required library.
- 解决yum命令时出现Error: xz compression not available
- 解决:ERROR ITMS-90023: "Missing required icon file. The bundle does not contain an app icon for iPad o