Product SiteDocumentation Site

23.7.5. Signing Kernel Module with the Private Key

There are no extra steps required to prepare your kernel module for signing. You build your kernel module normally. Assuming an appropriate Makefile and corresponding sources, follow these steps to build your module and sign it:
  1. Build your my_module.ko module the standard way:
    ~]# make -C /usr/src/kernels/$(uname -r) M=$PWD modules
  2. Sign your kernel module with your private key. This is done with a Perl script. Note that the script requires that you provide both the files that contain your private and the public key as well as the kernel module file that you want to sign.
    ~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file \ > sha256 \ > my_signing_key.priv \ > my_signing_key_pub.der \ > my_module.ko
Your kernel module is in ELF image format and this script computes and appends the signature directly to the ELF image in your my_module.ko file. The modinfo utility can be used to display information about the kernel module's signature, if it is present. For information on using the utility, see Section 23.2, “Displaying Information About a Module”.
Note that this appended signature is not contained in an ELF image section and is not a formal part of the ELF image. Therefore, tools such as readelf will not be able to display the signature on your kernel module.
Your kernel module is now ready for loading. Note that your signed kernel module is also loadable on systems where UEFI Secure Boot is disabled or on a non-UEFI system. That means you do not need to provide both a signed and unsigned version of your kernel module.