kernel module in UEFI secure boot
At the end of Installing, message shows:
Job for eveusb.service failed because the control process exited with error code.
See "systemctl status eveusb.service" and "journalctl -xe" for details.
cannot open socket connection with daemon
waiting for daemon's readiness ...
cannot open socket connection with daemon
cannot open socket connection with daemon
cannot register, try later
Check service status
$systemctl status eveusb.service
If there is a message shows:
ERROR: could not insert ‘eveusb’: Operation not permitted
your kernel boot is in “secure boot”, the module can’t be loaded.
Solution 1:
- Enter BIOS, then turn secure boot off.
Solution 2:
- Remove “secure boot” entirely
- depends on UEFI BIOS
- Might be done by
sudo apt install mokutil
sudo mokutil --disable-validation
reboot
Press Down and Enter in shim menu to change secure boot state
Solution 3:
- Sign your modules
- depends on UEFI BIOS
- add you own signature to valid signatures
- create ciphering keys
openssl req -new -x509 -newkey rsa:2048 -keyout OCP.priv -outform DER -out OCP.der -nodes -days 36500 -subj "/CN=OpenCells/"
- keep the two files OCP.der, OCP.priv as you’ll need it to sign your kernel modules
- import it in UEFI boot
sudo mokutil --import OCP.der
- It asks for a password: put any string, you’ll need it once, at next reboot, to secure the new ciphering enrolling
- You need to reboot the machine to enroll this new key
- Now you can sign your modules
- each time you compile a module, you have to sign it
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./OCP.priv ./OCP.der $(modinfo -n eveusb)
- reboot
- You’ll need to compile and update the module after each kernel upgrades