Product SiteDocumentation Site

23.7.6. Loading Signed Kernel Module

Once your public key is enrolled and is in the system keyring, the normal kernel module loading mechanisms will work transparently. In the following example, you will use mokutil to add your public key to the MOK list and you will manually load your kernel module with modprobe.
  1. Optionally, you can verify that your kernel module will not load before you have enrolled your public key. First, verify what keys have been added to the system key ring on the current boot by running the keyctl list %:.system_keyring as root. Since your public key has not been enrolled yet, it should not be displayed in the output of the command.
  2. Request enrollment of your public key.
    ~]# mokutil --import my_signing_key_pub.der
  3. Reboot, and complete the enrollment at the UEFI console.
    ~]# reboot
  4. After the system reboots, verify the keys on the system key ring again.
    ~]# keyctl list %:.system_keyring
  5. You should now be able to load your kernel module successfully.
    ~]# modprobe -v my_module
    insmod /lib/modules/3.17.4-302.fc21.x86_64/extra/my_module.ko
    ~]# lsmod | grep my_module
    my_module 12425 0