Module sign key ignore

Hi

We are developing a camera driver.

After developing the camera driver, we want to apply only the driver to the official image.

But the sign key does not match, so a module error “module verification failed signature and/or required key missing” occurs.

Can we register the driver by ignoring the sign key?

Hi @rlatae123

What steps are you following to build and install the driver?

Enrique Ramirez
Embedded SW Engineer at RidgeRun
Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.com
Website: www.ridgerun.com

We are building and installing through the nvbuild script.

hello rlatae123,

did you meant the warning message has reported as below?
module verification failed: signature and/or required key missing - tainting kernel

By default, kernel has the ability to load unsigned modules, but it taints the kernel as a security precaution. this tainting serves as a warning that the kernel may be running with unverified or unsafe code.

FYI,
we have the CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" as the default setting.
the signing key is automatically generated in each kernel build, which means the signing key is different from each kernel building, thus, the kernel module compiled by user has different sig_key with the release one.

here’re couple of approaches to resovle this.
(1) you may configure CONFIG_MODULE_SIG as disabled to get rid of the message during modprobe/insmod.
or…
(2) you may try to specify your own sig_key using CONFIG_MODULE_SIG_KEY in kernel config, to rebuild the kernel and kernel modules, install the kernel image, dtbs and kernel modules to target.
after that, please use your own sig_key to sign the tegra-camera.ko built later.
please see-also developer guide for reference, Kernel Module Signing.

Hi Jerry

When flashing with sdkmanager, each module has a signing key applied.

Is that right?

However, when building the kernel, a new key is generated and applied to the module.

I want to apply a specific module I built to an environment that was run with SDKMANAGER.

Is there such a way?

Or is it possible to apply the module key applied to the official image to a custom module?

hello rlatae123,

as mentioned, there’s no chance for using the same sig_key to sign kernel modules.
please try those two approaches to resolve such warning message.

Hi, Jerry

I’ll try the suggested method

I have two more question

If a key error like the above occurs

Is the applied module a module that is not working properly?

and Is it possible to replace modules in official images without building the kernel?

hello rlatae123,

it’s warning instead of failure, please check my previous comment #6 for explanation.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.