Thank you for your response.
However, your response doesn’t seem to address my specific question. (our conversation may not be aligned due to my limited understanding.)
I am asking about points where the description in the Developer Guide, the answers in this forum, and the current situation don’t seem to align.
Current Situation:
The ko module signature and the verifier do not match.
Developer Guide:
By default, kernel modules are not signed at build time even if kernel module signature verification is enabled.
This states that .ko
modules are not updated with default settings (although it seems they would be if CONFIG_MODULE_SIG_ALL
is enabled).
If that’s the case, then this would make sense given the current situation.
Forum Response:
The CONFIG_MODULE_SIG_KEY=“certs/signing_key.pem” is the default setting for kernel module signature verification feature. Since you’re building your own modules, a new created *.ko has different keys already.
From this, it seems that the .ko
modules are also updated by default (is CONFIG_MODULE_SIG_ALL
enabled by default?).
If so, I don’t understand why there is a signature mismatch.
Regarding this, based on our previous conversation, I imagined that while the signature for .ko
modules is updated, the verifier side does not automatically accept new signatures even if a kernel build is performed.
(Or does “newly created signature” in the default settings mean that it is in an “unsigned” state?)
I would like to confirm if this understanding is correct.
And I’d like to know how to update the verifier side.
Thank you for your time.