How to insmod ko on Fedora 42

yinanzhang · May 8, 2025, 1:50pm

I installed Fedora 42 with UEFI mode(secure boot is on), I want to test my kernel module, when I sudo insmod simproc.ko, I get “insmod: ERROR: could not insert module simproc.ko: Key was rejected by service”.

some tutorials let me turn off secure boot, but in my acer laptop, I have to change bios mode to legacy before I can switch off secure boot, I don’t know if Fedora 42 can boot normally in legacy mode (it is installed with UEFI mode).

How to deal with it?

vgaetera · May 8, 2025, 1:55pm

You are expected to use DKMS which helps automate module building and singing for new kernels:

# Set up DKMS
sudo dnf install dkms openssl
sudo dkms generate_mok
MOK_PASSWD="fedora"
sudo mokutil -i /var/lib/dkms/mok.pub << EOI
${MOK_PASSWD}
${MOK_PASSWD}
EOI
sudo systemctl reboot

# Custom module
sudo mkdir -p -Z /usr/src/custom-test
sudo tee /usr/src/custom-test/custom.c << EOF > /dev/null
#include <linux/init.h>
#include <linux/module.h>
MODULE_AUTHOR("User Name");
MODULE_DESCRIPTION("Custom module");
MODULE_LICENSE("MIT");
static int __init custom_init(void) {
    printk(KERN_INFO "Custom module loaded");
    return 0;
}
static void __exit custom_exit(void) {
    printk(KERN_INFO "Custom module removed");
}
module_init(custom_init);
module_exit(custom_exit);
EOF
sudo tee /usr/src/custom-test/Makefile << "EOF" > /dev/null
obj-m += custom.o
EOF
sudo tee /usr/src/custom-test/dkms.conf << EOF > /dev/null
PACKAGE_NAME="custom"
PACKAGE_VERSION="test"
BUILT_MODULE_NAME[0]="custom"
DEST_MODULE_LOCATION[0]="/extra"
EOF
sudo dkms install custom/test
sudo tee /etc/modules-load.d/custom.conf << EOF > /dev/null
custom
EOF
sudo systemctl restart systemd-modules-load.service

pramodvu1502 · May 8, 2025, 4:14pm

You need to create your own key-cert pair, sign the module.
The module is now ready.

But the key needs to be in the kernel

mokutil can put it into the MOK from where the shim bootloader passes it through GRUB/systemd-boot to the kernel
keyctl can directly interface with the kernel to add the key; This needs to be done on every boot though…

I will soon be back with detailed instructions; But don’t wait for me; I am too busy right now…

vwbusguy · May 8, 2025, 6:10pm

Here’s the guide for the key enrollment with mokutil:

Topic		Replies	Views
Signing custom kernel & modules failed Ask Fedora f35	9	2181	March 17, 2022
Modprobe: ERROR: could not insert 'v4l2loopback': Key was rejected by service Ask Fedora	12	12847	April 19, 2023
F36 KDE fails to install proprietary Nvidia graphics driver when in SecureBoot mode Ask Fedora f36 , kde , nvidia	3	532	June 16, 2023
Cannot enable Secure Boot Ask Fedora secure-boot , workstation , f42	16	471	May 16, 2025
OpenRazer and Secure Boot? Ask Fedora f35	1	1747	May 21, 2022

How to insmod ko on Fedora 42

Related topics