`tpacpi-bat = inactive (kernel module 'acpi_call' load error)` & key enrolment for signing module

Hi, I am trying to set up TLP for Fedora 34 on my Thinkpad P52, but I can’t get the module tpacpi-bat to work.

$ sudo tlp-stat -b
--- TLP 1.3.1 --------------------------------------------

+++ Battery Features: Charge Thresholds and Recalibrate
natacpi    = active (data, thresholds)
tpacpi-bat = inactive (kernel module 'acpi_call' load error)
tp-smapi   = inactive (ThinkPad not supported)

+++ ThinkPad Battery Status: BAT0
/sys/class/power_supply/BAT0/manufacturer                   = SMP
/sys/class/power_supply/BAT0/model_name                     = 01AV496
/sys/class/power_supply/BAT0/cycle_count                    =     15
/sys/class/power_supply/BAT0/energy_full_design             =  90000 [mWh]
/sys/class/power_supply/BAT0/energy_full                    =  90640 [mWh]
/sys/class/power_supply/BAT0/energy_now                     =  85100 [mWh]
/sys/class/power_supply/BAT0/power_now                      =      0 [mW]
/sys/class/power_supply/BAT0/status                         = Unknown

/sys/class/power_supply/BAT0/charge_start_threshold         =     40 [%]
/sys/class/power_supply/BAT0/charge_stop_threshold          =     50 [%]

Charge                                                      =   93.9 [%]
Capacity                                                    =  100.7 [%]

$ sudo modprobe -v acpi_call
insmod /lib/modules/5.11.20-300.fc34.x86_64/extra/acpi_call/acpi_call.ko 
modprobe: ERROR: could not insert 'acpi_call': Key was rejected by service

I read that this problem is due to a lack of accepted signature for the module acpi_call, so I tried signing it following this guide. This is what I did so far:

$ cat << EOF > configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = NameSurname
CN = NameSurname
emailAddress = my@email.com

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

$ openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \
 -batch -config configuration_file.config -outform DER \
 -out public_key.der \
 -keyout private_key.priv

Generating a RSA private key
..............++++
.............++++
writing new private key to 'private_key.priv'
-----

Problem being

$ mokutil --import public_key.der 
Failed to enroll new keys

Consequently trying to

$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./private_key.priv ./public_key.der /lib/modules/5.11.20-300.fc34.x86_64/extra/acpi_call/acpi_call.ko 

does nothing:

$ sudo tlp start
TLP started in AC mode (auto).
 sudo tlp-stat -b
--- TLP 1.3.1 --------------------------------------------

+++ Battery Features: Charge Thresholds and Recalibrate
natacpi    = active (data, thresholds)
tpacpi-bat = inactive (kernel module 'acpi_call' load error)
tp-smapi   = inactive (ThinkPad not supported)

+++ ThinkPad Battery Status: BAT0
/sys/class/power_supply/BAT0/manufacturer                   = SMP
/sys/class/power_supply/BAT0/model_name                     = 01AV496
/sys/class/power_supply/BAT0/cycle_count                    =     15
/sys/class/power_supply/BAT0/energy_full_design             =  90000 [mWh]
/sys/class/power_supply/BAT0/energy_full                    =  90640 [mWh]
/sys/class/power_supply/BAT0/energy_now                     =  85100 [mWh]
/sys/class/power_supply/BAT0/power_now                      =      0 [mW]
/sys/class/power_supply/BAT0/status                         = Unknown

/sys/class/power_supply/BAT0/charge_start_threshold         =     40 [%]
/sys/class/power_supply/BAT0/charge_stop_threshold          =     50 [%]

Charge                                                      =   93.9 [%]
Capacity                                                    =  100.7 [%]

as I assume the key wasn’t enrolled at all. Have you got any suggestion on how to proceed further?

I strongly suspect it’s either the CN in the openssl config or in the way I am generating the key, but I am far from sure

Apparently disabling secure boot from the bios solved the issue

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.