Key was rejected by service 😭

[RENANZG]

Why is this so difficult ?

Could someone give me a little help?

a) The toolset, notably shim, mokutil, dkms, opensll; that comes in distros, not only in Debian, as there are reports that Ubuntu and Fedora seem to be poorly implemented in relation to the linux kernel.

b) The below outlined process does not work and is there a history of bugs with DKMS or is it with the other packages? Or with packages confusion?

c) I'm trying to come up with a synthesis. It seems that I have reached an interesting point that involves system security, but I don't have the technical capacity to deal with it. I'm just an end user.

I'm using Debian 12, I want to enable secure boot and sign a wifi module.

$ uname -a
Linux host 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux

BUT

- modprobe: ERROR: could not insert 'rtw_8723d': Key was rejected by service``

These parameters are too advanced for me:
CONFIG_MODULE_SIG_FORCE
CONFIG_IMA_ARCH_POLICY

Here's an interesting reference:
linux-surface/linux-surface#906

Additional information:

- BUGS:
- • Debian Bug report logs - #1037146 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037146
- • Debian Bug report logs - #1012741 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012741
- • Debian Bug report logs - #1012816 Key was rejected by service 
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012816;msg=22
- • Debian Bug report logs - #989463 please align shim-signed dkms behaviour with Ubuntu  
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989463  
- • Ubuntu Bug  #1991725  - dkms package - fails to sign kernel modules
- https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1991725
- • Debian Bug report logs - #939392 please provide kmodsign like Ubuntu does
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939392
- • Debian Bug report logs - #928300 shim-signed: secure boot via removable media path unavailable  
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928300  

---

I made this tutorial to sign the kernel module with sign-file - I follow these steps to sign without DKMS and without script 💪

How to get WiFi Module signed for Secure Boot

Mandatory packages: openssl, sign-file and mokutil.

If you are going to compile the module in the kernel, usually the maintainer will indicate the packages to be installed beforehand. For example, you will need to install "make", "gcc", "kernel headers", "kernel build essentials", and "git".

$ sudo apt get install git make gcc build-essential linux-image-$(uname -r|sed 's,[^-]*-[^-]*-,,') linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,')

Brief - Sign with Sign-file

1- Install a driver	and test without Secure Boot	
2- Enable Secure Boot
3- Generate a private and public keys		
5- Import
6- Reboot and Enroll
4- Sign the module with sign-file		

1. Check if secure boot is enabled. When Secure Boot is disabled, the shimx64.efi will just directly load the real grubx64.efi bypassing all the Secure Boot steps, including loading the MOK. With the MOK not loaded, the kernel will have no way to recognize the signature on your module as valid. And with Secure Boot disabled, a signed module with an invalid signature is rejected, while unsigned modules only get a warning and a taint mark on any future oops/panic messages.

$ sudo mokutil --sb-state
SecureBoot enabled

You can create a personal public/private RSA key pair to sign the kernel modules. You can chose to store the key/pair, for example, in the /var/lib/shim-signed/mok/ directory. Then create a new pair of private key (MOK.priv) and public key (MOK.der).

$ sudo mkdir -p /var/lib/shim-signed/mok
$ sudo openssl req -config /usr/lib/ssl/openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "/var/lib/shim-signed/mok/MOK.priv" -out "/var/lib/shim-signed/mok/MOK.der" -subj "/CN=MODULE/"
$ ls -l /var/lib/shim-signed/mok/
total 8
-rw-r--r-- 1 root root  779 MOK.der
-rw------- 1 root root 1704 MOK.priv
$ sudo chmod 600 /var/lib/shim-signed/mok/*

2. Enroll the public key (MOK.der) to MOK (Machine Owner Key) by entering the command:

$ sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
input password:
input password again:

Recheck if your key will be prompted on next boot:

$ sudo mokutil --list-new

3. Reboot and Enroll

The password in this step is a temporary use password you'll only need to remember for a few minutes. Reboot the machine. When the bootloader starts, you should see a screen asking you to press a button to enter the MOK manager EFI utility. Note that any external external keyboards won't work in this step. Select Enroll MOK in the first menu, then continue, and then select Yes to enroll the keys, and re-enter the password established in previous step. Then select OK to continue the system boot.

Steps:
-> "Enroll MOK"
-> "Continue".
-> "Yes".
-> Enter the password you set up just now.
-> Select "OK" and the computer will reboot again.

There are serveral commands to verify if your key "MODULE" is loaded and enrolled

$ sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der
$ sudo dmesg | grep cert
$ sudo cat /proc/keys | grep MODULE
$ openssl x509 -in /var/lib/shim-signed/mok/MOK.der -inform DER -text -noout

4. Sign the module with sign-file

Use the same password you used before when setting up MOK for the BIOS to avoid confusion. Make sure you type the password carefully here with no errors, and dont get confused by it just waiting.

$ sudo su
~# read -s KBUILD_SIGN_PIN

Next export it and sign all modules.

$ sudo su
~# export KBUILD_SIGN_PIN

NOTE: KBUILD_SIGN_PIN allows a passphrase or PIN to be passed to the sign-file utility when signing kernel modules, if the private key requires such.

For sing the module, depending on your platform, the exact location of sign-file might vary. In Debian 12 (Bookworm) it was in kernel generic /usr/src/linux-kbuild-$(uname -r | cut -d . -f 1-2)/scripts/sign-file .

And where was the module installed? In /lib/modules/$(uname -r)/kernel/drivers/*.ko

$ sudo modinfo -n rtw_8723d
  /lib/modules/6.1.0-13-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_8723d.ko

To sign modules (with your KBUILD_SIGN_PIN), go to the directory containing the modules, and run

$ sudo su
~# cd /lib/modules/6.1.0-13-amd64/kernel/drivers/net/wireless/realtek/rtw88/
~# /usr/src/linux-kbuild-6.1/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der rtw_8723d.ko

Other not tested form

sudo --preserve-env=KBUILD_SIGN_PIN sh /usr/src/linux-kbuild-$(uname -r | cut -d . -f 1-2)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der $(modinfo -n rtw_8723d)

Assuming you type the password correct, you wont get any errors. You should be able to now see that a module is signed. You can pick any module in that directory but as an example:

$ sudo modinfo rtw_8723d
(...)
signer:         MODULE
sig_key:        XX:XX:XX:XX:XX:XX:XX:XX...
sig_hashalgo:   sha256
signature:      XX:XX:XX:XX:XX:XX:XX:XX...
(...)

NOTE: Filename may be different just use tab completion to find appropriate file to check some other name.

You could try load the modules

$ modprobe -v rtw_8723d

After any kernel module loading failure, you should check the dmesg output: it might include a more specific error message. In this case it is likely to indicate that a module signature failed a validity check.

$ sudo dmesg --since -1m

If the modules are needed to boot your machine, make sure to update the initramfs, e.g. using

$ sudo update-initramfs -k all -u