[elrepo] Using kmod-wl in EL7 - stuck on mokutil "Failed to enroll new keys"
Steve Tindall
s10dal at elrepo.org
Sat Apr 14 01:01:50 EDT 2018
On 04/13/2018 03:50 PM, Robert Nichols wrote:
> I've gone through the steps on the elrepo.org/tiki/wl-kmod page, but
> cannot load the new wl module. Running "mokutil --import
> /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.ord.der" just gets "Failed to
> enroll new keys".
>
> The elrepo.org/tiki/SecureBootKey page references a subscriber-only
> Red Hat page for help. Any help for someone who cannot read that page?
> (Yes, I know about "Just turn off secure boot." Looking for an actual
> answer.)
>
In the case of kmod-wl, you built the binary on your system, so it is
not signed with the elrepo secure boot key. Only EL7 kmods built on the
elrepo build systems are signed with the elrepo secure boot key.
Installing the elrepo secure boot key on your system will not help in
your case.
To use kmod-wl with secure boot, you need to generate your own secure
boot signing key, sign kmod-wl with it and import the public key onto
your system as described at:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-kernel-modules-for-secure-boot.html
Real PITA, hence why so many people ask "Do you really need secure
boot?" :-)
Red Hat just released RHEL 7.5 on Tuesday and I think they were updating
their standard documentation today, hence the inability to reach the
link earlier today. The above link is from the 7.4 release or so it
seems. The link is available to anyone, not just RHEL subscribers.
Hope that helps.
Steve
More information about the elrepo
mailing list