Hello,
I have a question about how module signature keys are supposed to work in gentoo. On my laptop, in make.conf, I have my module signing keys set to my secure boot key, while for my kernel, I use the default signing key in /var/tmp/portage/<sources>, and it compiles, signs, and boots without issue.
I just installed gentoo on another computer I have, and I had module signing keys set to sbctl keys in make.conf, and while I was using a distribution kernel, it booted without issue. Yesterday, I configured a custom kernel, and it compiles fine, but I am unable to load the zfs module when it boots into the initramfs because the key isn't trusted by the kernel.
I tried setting the default module_sig key in the kernel to my sbctl keys, however, it gives errors when compiling and installing modules.
My question is how do I properly configure the keys in the kernel and make.conf for secure boot to work, and for my zfs module to work so I can decrypt my system.
Signing Keys, Secure Boot Question
Message
Re: Signing Keys, Secure Boot Question
To sign modules enable the "modules-sign" USE flag and set MODULES_SIGN_KEY and MODULES_SIGN_CERT to your sbctl key (or a different key) in your make.conf. Then rebuild zfs.juliedeville wrote: My question is how do I properly configure the keys in the kernel and make.conf for secure boot to work, and for my zfs module to work so I can decrypt my system.
Module signing is something separate from secureboot, though in Gentoo if you build your own sys-kernel/gentoo-kernel with USE=secureboot enabled this will also automatically enable "lockdown" mode which enforces that kernel modules are signed. You may override this via /etc/kernel/config.d. If you do not specify a MODULES_SIGN_KEY or MODULES_SIGN_CERT then the kernel build system will generate a key for you, the zfs package should pick this up automatically when you rebuild it and sign with that key. However the key will be re-generated every time you build the kernel so I recommend specifying the module signing key explicitly in make.conf to ensure consistency. This does not apply to sys-kernel/gentoo-kernel-bin.
OS: Gentoo 6.19.3-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400