F34 + realtek wifi ax (rtw89) + module signing (solved)

nx2l · August 19, 2021, 10:45pm

Anyone familiar with signing kernel modules to get them to play nice with Fedora 34?

Found this…

Did more searching.
(per closed tracker , Fedora devs dont expect this driver pulled into the kernel until say 5.15…)

Did more searching, the instructions for signing:

git clone https://github.com/lwfinger/rtw89.git -b v5
cd rtw89
make
sudo bash -c 'MOK_KEY_DIR=/var/lib/shim-signed/mok make sign-install'

didnt work… but it also appears the Makefile that it pulled down (using git) is NOT the same as here:

github.com

lwfinger/rtw89/blob/main/Makefile

SHELL := /bin/sh
KVER  ?= $(shell uname -r)
KSRC := /lib/modules/$(KVER)/build
FIRMWAREDIR := /lib/firmware/
PWD := $(shell pwd)
CLR_MODULE_FILES := *.mod.c *.mod *.o .*.cmd *.ko *~ .tmp_versions* modules.order Module.symvers
SYMBOL_FILE := Module.symvers
# Handle the move of the entire rtw88 tree
ifneq ("","$(wildcard /lib/modules/$(KVER)/kernel/drivers/net/wireless/realtek)")
MODDESTDIR := /lib/modules/$(KVER)/kernel/drivers/net/wireless/realtek/rtw89
else
MODDESTDIR := /lib/modules/$(KVER)/kernel/drivers/net/wireless/rtw89
endif
#Handle the compression option for modules in 3.18+
ifneq ("","$(wildcard $(MODDESTDIR)/*.ko.gz)")
COMPRESS_GZIP := y
endif
ifneq ("","$(wildcard $(MODDESTDIR)/*.ko.xz)")
COMPRESS_XZ := y
endif

This file has been truncated. show original

So … maybe I should try again… (but instead of the v5 branch… i should use main)

but where do i get the MOK files from?
Do i make them? should they be pulled using git?

(got a new laptop (Lenovo Legion 5) for my wife and converting her to Fedora, but cant give laptop to her with the wifi not working)

modzilla · August 20, 2021, 7:58am

I believe that you need to create your own, since publishing private keys isn’t the greatest idea for obvious reasons. Maybe this helps How to sign things for Secure Boot | Ubuntu

nx2l · August 20, 2021, 10:17pm

it actually did, thanks!

b/t that and looking at fedora specific stuff

I figured it out

i did have to use the the main branch (because the sign stuff is in that makefile)

and I had to edit the make file for fedora since kmodsign is a package i could not find.

But if you have kernel-devel installed… theres a sign-file executable under the /../../$(uname -r)/scripts folder

So i had to modify the makefile to use that when it goes to try to make sign-install

after adding the public key using mokutil…

reboot and watch for the prompt to enroll the key on boot

then boom… the kernel module loaded when it started that time.

Carlos_Roberto_Perez · September 29, 2021, 8:27pm

Awesome, I was stuck on the part where you need to sign the module and could not find kmodsign anywhere for Fedora. I just got the Wi-Fi working on my new Lenovo Legion 7 Gen 6, thanks to you both.

Whoever is reading and has the same issue, you need to do the following (these steps are working for today sep 19th, 2021 but it may change a bit in the future due to the repo being constantly updated or when the new kernel includes the fix):

First install the required packages:

$ sudo yum update
$ sudo yum install git kernel-devel kernel-headers make gcc

Get the latest module build, because the Makefile on v5 is not updated with the signed module section for Secure Boot (this may change in the future):

$ git clone https://github.com/lwfinger/rtw89.git
$ cd rtw89
$ make

Now you need to sign the module so first create this text file in the rtw89 folder vi openssl_sign.cfg and add the following content, it is not necessary to make any changes (check modzilla’s response for more details on this):

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd 
[ req ]
distinguished_name      = req_distinguished_name
x509_extensions         = v3
string_mask             = utf8only
prompt                  = no

[ req_distinguished_name ]
countryName             = CA
stateOrProvinceName     = Quebec
localityName            = Montreal
0.organizationName      = cyphermox
commonName              = Secure Boot Signing
emailAddress            = [email protected]

[ v3 ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical,CA:FALSE
extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2
nsComment               = "OpenSSL Generated Certificate"

Once you have created the openssl_sign.cfg file then execute this:

$ openssl req -config openssl_sign.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der"

Then you need to enroll the key by using the command below. It will prompt you to enter a password twice (it will be used for the next step):

$ sudo mokutil --import MOK.der

This is the tricky part, after you execute the mokutil command you will need to reboot, and just before the GRUB starts a blue screen will pop up and you need to follow these steps:

Select 'Enroll MOK'
Select 'Continue'
Enter the password previously defined
Select 'Reboot'

After this is done, you will now need to change the following lines in Makefile like this:

sign:
# Comment out the lines beginning with kmodsign and insert the last two lines.
#       kmodsign sha512 $(MOK_KEY_DIR)/MOK.priv $(MOK_KEY_DIR)/MOK.der rtw89core.ko
#       kmodsign sha512 $(MOK_KEY_DIR)/MOK.priv $(MOK_KEY_DIR)/MOK.der rtw89pci.ko
        /usr/src/kernels/$(uname -r)/scripts/sign-file sha512 MOK.priv MOK.der rtw89core.ko
        /usr/src/kernels/$(uname -r)/scripts/sign-file sha512 MOK.priv MOK.der rtw89pci.ko

Now you can install the module and enable it after it is installed using the below commands.

$ sudo bash -c 'MOK_KEY_DIR=/var/lib/shim-signed/mok make sign-install'
$ sudo modprobe rtw89pci

nx2l · September 29, 2021, 8:33pm

nx2l · September 29, 2021, 8:38pm

yeah… the git issue i found said around kernel 5.15 it should be added into the kernel for ax wifi…

so not too much longer to go.
i hope