From 9c25e59b439fcdd5fb473c9635716a1de03853b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=BBnn=20Ki=C3=A0n-=C3=AEng?= Date: Thu, 10 Nov 2022 22:24:37 +0800 Subject: [PATCH] Convey secure boot specific considerations (#177) --- lkmpg.tex | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lkmpg.tex b/lkmpg.tex index eb2d500..29ffc90 100644 --- a/lkmpg.tex +++ b/lkmpg.tex @@ -174,6 +174,24 @@ Rest assured, after you get over the initial hurdle of doing it for the first ti You will not see it unless you look through your \sh|journalctl| . See \ref{sec:helloworld} for details. To have immediate access to this information, do all your work from the console. + \item SecureBoot. + Many contemporary computers are pre-configured with UEFI SecureBoot enabled. + It is a security standard that can make sure the device boots using only software that is trusted by original equipment manufacturer. + The default Linux kernel from some distributions have also enabled the SecureBoot. + For such distributions, the kernel module has to be signed with the security key or you would get the "\emph{ERROR: could not insert module}" when you insert your first hello world module: + +\begin{codebash} +insmod ./hello-1.ko +\end{codebash} + And then you can check further with \sh|dmesg| and see the following text: + + \emph{Lockdown: insmod: unsigned module loading is restricted; + see man kernel lockdown.7} + + If you got this message, the simplest way is to disable the UEFI SecureBoot from the PC/laptop boot menu to have your "hello-1" to be inserted. + Of course you can go through complicated steps to generate keys, install keys to your system, and finally sign your module to make it work. + However, this is not suitable for beginners. + You could read and follow the steps in \href{https://wiki.debian.org/SecureBoot}{SecureBoot} if you are interested. \end{enumerate} \section{Headers}