I’m having difficulties loading a kernel module that I myself compiled and signed for Secure Boot. The module in question is ec_sys
, located within drivers/acpi
directory of the kernel tree.
I’m using Debian 11 stable, kernel release 5.10.0-14-amd64, kernel version 5.10.113-1.
In short, the problem is that my attempts to load the module, e.g. with:
sudo modprobe -f ec_sys
end with an error
modprobe: ERROR: could not insert ‘ec_sys’: Operation not permitted
and dmesg yields the following:
Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
If I understand it correctly, lockdown should block loading unsigned modules into the kernel, but I did in fact sign it, following Debian’s official docs on the topic and it went smoothly, without any issues. I don’t know why it’s still being blocked.
Just for the sake of actually loading the module I even tried to disable kernel lockdown altogether via SysRq+x combination, but it seems like it’s not supported in this kernel release (the ‘x’ command is not recognized at all).
For some more context, below are the steps I performed to build the module prior to enrolling a Machine Owner Key and signing the module with it.
# Get the source code
apt source linux
cd linux-5.10.113
# Generate .config
make localmodconfig
# Enable ec_sys via menuconfig (or just set CONFIG_ACPI_EC_DEBUGFS=m in .config)
make menuconfig
# Prepare modules
make modules_prepare
# Build acpi modules as they're the only ones of interest to me
make modules M=drivers/acpi
The compilation succeeded with warnings:
WARNING: Symbol version dump “Module.symvers” is missing. Modules may not have dependencies or modversions.
MODPOST drivers/acpi/Module.symvers
WARNING: modpost: Symbol info of vmlinux is missing. Unresolved symbol check will be entirely skipped.
Afterwards I copied to module to /lib/modules/$(uname -r), enrolled new MOK (as stated before) and signed the module.
Note: as of now, attempts to load the module without -f flag cause the following error:
modprobe: ERROR: could not insert 'ec_sys': Exec format
I figure this is related to the warnings mentioned above and also to the fact that sudo modinfo ec_sys
returns
vermagic: 5.10.113 SMP mod_unload modversions
while for any other module it returns
vermagic: 5.10.0-14-amd64 SMP mod_unload modversions
But it doesn’t strike me as something to be concerned about – apt source linux
downloaded 5.10.113 sources, because my actual kernel version is 5.10.113. It should be compatible with my kernel release (5.10.0-14), right?
So, just to make the questions clear:
- Why is kernel lockdown blocking loading of a signed kernel module?
- Is there anything that you can tell I clearly misunderstood about the whole compilation/signing/loading process and that might be affecting the result?
Any help is appreciated.