Product SiteDocumentation Site

23.7. Signing Kernel Modules for Secure Boot

Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. [2] When Secure Boot is enabled, the EFI operating system boot loaders, the Fedora kernel, and all kernel modules must be signed with a private key and authenticated with the corresponding public key. The Fedora distribution includes signed boot loaders, signed kernels, and signed kernel modules. In addition, the signed first-stage boot loader and the signed kernel include embedded Fedora public keys. These signed executable binaries and embedded keys enable Fedora to install, boot, and run with the Microsoft UEFI Secure Boot CA keys that are provided by the UEFI firmware on systems that support UEFI Secure Boot.[3]
The information provided in the following sections describes steps necessary to enable you to self-sign privately built kernel modules for use with Fedora on UEFI-based systems where Secure Boot is enabled. These sections also provide an overview of available options for getting your public key onto the target system where you want to deploy your kernel module.

23.7.1. Prerequisites

In order to enable signing of externally built modules, the tools listed in the following table are required to be installed on the system.
Table 23.1. Required Tools
Tool Provided by Package Used on Purpose
openssl openssl Build system Generates public and private X.509 key pair
sign-file kernel-devel Build system Perl script used to sign kernel modules
perl perl Build system Perl interpreter used to run the signing script
mokutil mokutil Target system Optional tool used to manually enroll the public key
keyctl keyutils Target system Optional tool used to display public keys in the system key ring

Note

Note that the build system, where you build and sign your kernel module, does not need to have UEFI Secure Boot enabled and does not even need to be a UEFI-based system.


[2] Fedora does not require the use of Secure Boot on UEFI systems.
[3] Not all UEFI-based systems include support for Secure Boot.