Product SiteDocumentation Site

22.7.2.2.  Kernel Module Authentication Requirements

If UEFI Secure Boot is enabled or if the module.sig_enforce kernel parameter has been specified, then only signed kernel modules that are authenticated using a key on the system key ring can be successfully loaded.[4] If UEFI Secure Boot is disabled and if the module.sig_enforce kernel parameter has not been specified, then unsigned kernel modules and signed kernel modules without a public key can be successfully loaded. This is summarized in Table 22.3, “Kernel Module Authentication Requirements for Loading”.
Table 22.3. Kernel Module Authentication Requirements for Loading
Module Signed Public Key Found and Signature Valid UEFI Secure Boot State module.sig_enforce Module Load Kernel Tainted
Unsigned - Not enabled Not enabled Succeeds Yes
Not enabled Enabled Fails
Enabled - Fails -
Signed No Not enabled Not enabled Succeeds Yes
Not enabled Enabled Fails -
Enabled - Fails -
Signed Yes Not enabled Not enabled Succeeds No
Not enabled Enabled Succeeds No
Enabled - Succeeds No

Subsequent sections will describe how to generate a public and private X.509 key pair, how to use the private key to sign a kernel module, and how to enroll the public key into a source for the system key ring.


[4] Provided that the public key is not on the system black list key ring.