kernel module in UEFI secure boot --- insmod: ERROR: could not insert module lkm_hello.ko: Operation not permitted

# insmod lkm_hello.ko
insmod: ERROR: could not insert module lkm_hello.ko: Operation not permitted

解决办法
其实就是因为修改.ko文件是修改的linux内核文件,所以被bios的安全启动保护给禁止了而已。
重启进入BIOS,修改安全启动选项,禁用安全启动选项,开机后重新sudo运行之前的指令。

 

https://open-cells.com/index.php/2017/06/08/kernel-module-uefi-secure-boot/

 

Signed kernel module: how to

  • Compilation of a kernel module like this example
    • cd opencells-mods/gtp_mod
    • make -C /lib/modules/$(uname -r)/build M=$PWD
    • sudo cp gtp.ko /lib/modules/$(uname -r)/kernel/drivers/net/gtp.ko
  • But, despite we just compiled it successfully,  the module can’t be loaded
    • modprobe gtp
    • ERROR: could not insert ‘gtp’: Operation not permitted

your kernel boot is in “secure boot”, the module can’t be loaded

This issue occurs also with other modules in AOI, like ue_ip.kp

  • Solution 1
      • Remove “secure boot” entirely
      • depends on UEFI bios
      • Can be done by
      • sudo apt install mokutil
        
        sudo mokutil --disable-validation
      • After this, reboot  the computer, the UEFI bios should ask for the password you set with “mokutil”, then ask to accept to disable secure boot
  • Solution 2
    • Sign your modules
    • add you own signature to valid signatures
      • create ciphering keys
      • openssl req -new -x509 -newkey rsa:2048 -keyout OCP.priv -outform DER -out OCP.der -nodes -days 36500 -subj "/CN=OpenCells/"
      • keep the two files OCP.der, OCP.priv as you’ll need it to sign your kernel modules
      • import it in UEFI boot
      • sudo mokutil --import OCP.der
      • It asks for a password: put any string, you’ll need it once, at next reboot, to secure the new ciphering enrolling
      • You need to reboot the machine to enroll this new key
    • Now you can sign your modules
      • each time you compile a module, you have to sign it
      • (after: sudo cp gtp.ko /lib/modules/`uname -r`/kernel/drivers/net/gtp.ko)
    • sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./OCP.priv ./OCP.der $(modinfo -n gtp)
    • now “sudo modprobe gtp”  should not complain anymore
  • You’ll need to compile and update the module after each Ubuntu kernel upgrades
posted @ 2022-11-20 22:58  张同光  阅读(534)  评论(0编辑  收藏  举报