IGX Kernel: Custom Signed Module Fails Verification with MOK (Signature and/or Required Key Missing)

Environment:

  • Platform: NVIDIA IGX Thor Mini
  • Kernel: 6.8.0-1019-nvidia-tegra-rt (Canonical signed kernel image)
  • Secure Boot Status: Currently Disabled (Planning to enable it for an upcoming release)

Issue:

We are trying to sign an out-of-tree (OOT) custom kernel module (.ko) using a Machine Owner Key (MOK) so that it complies with our upcoming Secure Boot release. However, when loading the module via insmod/modprobe, the kernel rejects it with the following error:

module verification failed: signature and/or required key missing - tainting kernel

Steps we followed:

  1. Generated MOK Keys: Created a private key (MOK.priv) and public certificate (MOK.der) using OpenSSL.
  2. Signed the Module: Used the kernel’s built-in script:
sudo /usr/src/linux-headers-6.8.0-1019-nvidia-tegra-rt/scripts/sign-file sha256 MOK.priv MOK.der custom_module.ko
  1. Verified Signature: Running modinfo custom_module.ko | grep signer successfully shows our custom signer name.
  2. Enrolled Key: Imported the certificate using sudo mokutil --import MOK.der and completed the enrollment successfully in the Shim UEFI Key Management screen upon reboot.

The Problem:

Even though the key is enrolled and Secure Boot is currently disabled, the kernel still complains about the missing key/signature.

Questions:

  1. Does the Canonical-signed nvidia-tegra-rt kernel properly support/trust the UEFI MOK keyring for out-of-tree modules on this platform?
  2. Are there specific steps or a different keyring we must use to make the Tegra RT kernel trust a custom-signed module on IGX?

Any guidance or standard workaround for signing OOT drivers on this specific kernel would be highly appreciated.

Hi cibi.p,

Based on the IGX Kernel Module Verification flow, the recommended approach for IGX Thor is to sign OOT kernel modules with the Vendor Owned DB key (db_vendor) enrolled in the UEFI db, rather than relying on a MOK-only flow.

Also, with Secure Boot currently disabled, the module verification failed: signature and/or required key missing message may only indicate that the module is not trusted by the kernel keyring; it does not always mean the module load itself failed. Enforcement happens when Secure Boot and kernel lockdown are enabled.

For release validation, we suggest following the official IGX flow below:

  • Enroll the db_vendor certificate into UEFI db during Secure Boot setup.

  • Convert the certificate to DER format, then sign the module with kmodsign sha512 db_vendor.key db_vendor.der <module>.ko.unsigned <module>.ko.signed.

  • Copy the signed module back to the target and verify it loads successfully.

Please refer to the official guide here: Kernel Module Verification.