Environment:
- Platform: NVIDIA IGX Thor Mini
- Kernel:
6.8.0-1019-nvidia-tegra-rt(Canonical signed kernel image) - Secure Boot Status: Currently Disabled (Planning to enable it for an upcoming release)
Issue:
We are trying to sign an out-of-tree (OOT) custom kernel module (.ko) using a Machine Owner Key (MOK) so that it complies with our upcoming Secure Boot release. However, when loading the module via insmod/modprobe, the kernel rejects it with the following error:
module verification failed: signature and/or required key missing - tainting kernel
Steps we followed:
- Generated MOK Keys: Created a private key (
MOK.priv) and public certificate (MOK.der) using OpenSSL. - Signed the Module: Used the kernel’s built-in script:
sudo /usr/src/linux-headers-6.8.0-1019-nvidia-tegra-rt/scripts/sign-file sha256 MOK.priv MOK.der custom_module.ko
- Verified Signature: Running
modinfo custom_module.ko | grep signersuccessfully shows our custom signer name. - Enrolled Key: Imported the certificate using
sudo mokutil --import MOK.derand completed the enrollment successfully in the Shim UEFI Key Management screen upon reboot.
The Problem:
Even though the key is enrolled and Secure Boot is currently disabled, the kernel still complains about the missing key/signature.
Questions:
- Does the Canonical-signed
nvidia-tegra-rtkernel properly support/trust the UEFI MOK keyring for out-of-tree modules on this platform? - Are there specific steps or a different keyring we must use to make the Tegra RT kernel trust a custom-signed module on IGX?
Any guidance or standard workaround for signing OOT drivers on this specific kernel would be highly appreciated.