# insmod lkm_hello.ko
insmod: ERROR: could not insert module lkm_hello.ko: Operation not permitted
解决办法
其实就是因为修改.ko文件是修改的linux内核文件,所以被bios的安全启动保护给禁止了而已。
重启进入BIOS,修改安全启动选项,禁用安全启动选项,开机后重新sudo运行之前的指令。
https://open-cells.com/index.php/2017/06/08/kernel-module-uefi-secure-boot/
Signed kernel module: how to
- Compilation of a kernel module like this example
- cd opencells-mods/gtp_mod
- make -C /lib/modules/$(uname -r)/build M=$PWD
- sudo cp gtp.ko /lib/modules/$(uname -r)/kernel/drivers/net/gtp.ko
- But, despite we just compiled it successfully, the module can’t be loaded
- modprobe gtp
- ERROR: could not insert ‘gtp’: Operation not permitted
your kernel boot is in “secure boot”, the module can’t be loaded
This issue occurs also with other modules in AOI, like ue_ip.kp
- Solution 1
- Remove “secure boot” entirely
- depends on UEFI bios
- Can be done by
sudo apt install mokutil
sudo mokutil --disable-validation
- After this, reboot the computer, the UEFI bios should ask for the password you set with “mokutil”, then ask to accept to disable secure boot
- Solution 2
- Sign your modules
- add you own signature to valid signatures
- create ciphering keys
openssl req -new -x509 -newkey rsa:2048 -keyout OCP.priv -outform DER -out OCP.der -nodes -days 36500 -subj "/CN=OpenCells/"
- keep the two files OCP.der, OCP.priv as you’ll need it to sign your kernel modules
- import it in UEFI boot
sudo mokutil --import OCP.der
- It asks for a password: put any string, you’ll need it once, at next reboot, to secure the new ciphering enrolling
- You need to reboot the machine to enroll this new key
- Now you can sign your modules
- each time you compile a module, you have to sign it
- (after: sudo cp gtp.ko /lib/modules/`uname -r`/kernel/drivers/net/gtp.ko)
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./OCP.priv ./OCP.der $(modinfo -n gtp)
- now “sudo modprobe gtp” should not complain anymore
- You’ll need to compile and update the module after each Ubuntu kernel upgrades