PKCS#7 signature not signed with a trusted key

Ralf Mardorf <ralf-mardorf@xxxxxxxxxx> · Wed, 12 Apr 2023 09:55:38 +0200

Hi,

some kernels that do boot on my old UEFI computer with legacy boot
enabled, don't boot on my new UEFI computer were the Intel processor
graphics doesn't allow to enable legacy boot, but at least _secure boot_
is _disabled_.

What can I do to get rid of the error?

The kernel parameter "module.sig_enforce=1" is _never_ used.

A kernel that fails to boot with "PKCS#7 signature not signed with a
trusted key": 

[rocketmouse@archlinux ~]$ ls -hl /lib/modules/4.19.271-rt120-0.300-cornflower/updates/dkms/
.rw-r--r-- root root  65 KB Sun Apr  2 15:42:39 2023  r8125.ko.xz
.rw-r--r-- root root 142 KB Wed Mar  1 20:17:25 2023  vboxdrv.ko.xz
.rw-r--r-- root root 4.6 KB Wed Mar  1 20:17:25 2023  vboxnetadp.ko.xz
.rw-r--r-- root root  14 KB Wed Mar  1 20:17:25 2023  vboxnetflt.ko.xz
[rocketmouse@archlinux ~]$ grep MODULE_SIG /lib/modules/4.19.271-rt120-0.300-cornflower/build/.config 
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

A kernel that doesn't fail:

[rocketmouse@archlinux ~]$ ls -hl /lib/modules/6.2.10-arch1-1/updates/dkms/
.rw-r--r-- root root 116 KB Sun Apr  9 13:32:10 2023  r8125.ko.zst
.rw-r--r-- root root 221 KB Sun Apr  9 13:31:59 2023  vboxdrv.ko.zst
.rw-r--r-- root root  27 KB Sun Apr  9 13:31:59 2023  vboxnetadp.ko.zst
.rw-r--r-- root root  47 KB Sun Apr  9 13:31:59 2023  vboxnetflt.ko.zst
[rocketmouse@archlinux ~]$ grep MODULE_SIG /lib/modules/6.2.10-arch1-1/build/.config 
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
# CONFIG_MODULE_SIG_KEY_TYPE_RSA is not set
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y

Regards,
Ralf