How can i use self compiled kernel module

Hi everybody,

since kernel signing ist activated i can’t insert my self compiled kernelmodul.
I see the error “modprobe: ERROR: could not insert ‘rtl8812au’: Required key not available”
How can i sign this kernelmodul.
In other Destis like Ubuntu, Debian Redhat or SuSe can i use the file sign-file and mokutil to insert self created key for this file.

Thanks in Advance

Olaf

Hello Olaf,

No that is not possible due to security reasons.

The whole kernel needs to be built in one go and is signed with a key that is later destroyed. An attacker can therefore no longer build any own modules or root kits against the IPFire kernel and attack a system with it.

What hardware are you trying to use?

2 Likes

Hello Michael,

this ist really importend for me. Without a 5Ghz Accesspoint (blue) directly on the firewall is the security for the green and orange network not guaranteed.
Here my hardward:
https://fireinfo.ipfire.org/profile/370614f76d43452b356f142d688ae811c5c355d7

If you meantime not already done, i recommend update to core 146 first.

SCNR :wink:

Hello Tulpenknicker,

No, i can’t update to Core 146. Since Core 142 is kernelsigning active and my Accesspoint down.
Pls see my second firewall (https://fireinfo.ipfire.org/profile/24332c284f2769d8c97e0e970ea56b8373be00ca)
Here is no RTL8812AU interface activ…

Greetings

Olaf

I do not carefully read your posting. I saw security… and core 141… This happens if you think you must send a quick smile to the world. Sorry

1 Like

Correct, but i can’t update or i must change the firewall to other Destri. I will not stay by the old core but i can’t do without wifi asccesspoint.
Why does everyone always have to tell you what is good for me and what is not? I do not understand that.

1 Like

The core devs decided to sign the kernel and to do it the way Michael posted above.
If you want support for specific hardware by kernel modules, these must be integrated into the system.
The signing is active now for some time. Why didn’t you ask for the kernel support of your device since then?

It has nothing to do with telling you, what is good for you. It is just a design decision like using the LFS model.

1 Like

He has already asked long time ago but i have not found the time to add this driver.

You have to integrate the build of the module into the build process to sign the module properly. An example is the xtables-addons lfs file which build and sign some modules. After build you have to exchange the whole kernel because the key is changed at every kernel build.

Best is to send in a patch. If the driver is gpl compatible and we can include it.

2 Likes

Or there are compatible wireless modules which are available for only a few Euros:

Hi Arne,
thanks for Answer. I will read in and try to install the module. If that worked, I’ll send the patch.

Many Thanks

Olaf

1 Like

Hi Micheal,
i know this list but no one of the USB-Sticks in this list worked as ap-Mode in 5GHz. Please see my post in forum. (https://forum.ipfire.org/viewtopic.php?f=17&t=23077&p=125985&hilit=RTL#p1)

Greetings

Olaf

Hi Olaf,

If that worked, I’ll send the patch.

please refer to https://wiki.ipfire.org/devel/ if you need further information regarding development procedures. In case of problems not explained there, just drop us a line. :slight_smile:

Thanks, and best regards,
Peter Müller

Hello everbody.

I’m to stupid.
modinfo said the modul is signed
modinfo /lib/modules/4.14.184-ipfire/kernel/drivers/net/wireless/realtek/rtl8812au.ko
filename: /lib/modules/4.14.184-ipfire/kernel/drivers/net/wireless/realtek/rtl8812au.ko
version: v4.3.14_13455.20150212_BTCOEX20150128-51
author: Realtek Semiconductor Corp.
description: Realtek Wireless Lan Driver
license: GPL
srcversion: EDC0561E503CC99CD8C4B3D
alias: usb:v3823p6249ddcdscdpiciscipin

alias: usb:v0BDAp8812ddcdscdpiciscipin
depends: cfg80211
retpoline: Y
name: rtl8812au
vermagic: 4.14.184-ipfire SMP mod_unload modversions
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 18:20:CC:65:90:3F:34:A9:8F:40:DA:3B:04:3F:37:XX:XX:XX… (X from me)
sig_hashalgo: sha512
signature: 21:74:72:0D:0C:FD:9C:E4:72:72:XX:XX:XX (X from me)

but …
modprobe rtl8812au
modprobe: ERROR: could not insert ‘rtl8812au’: Required key not available

any Idea?

Thanks a lot

Olaf

you have to copy the whole kernel from this build not just the module.

1 Like

Hi Arne,

ok, but how install the kernel? I can’t find update-grub[2].
I can copy all files from /usr/share/git-core/ipfire-2.x/build/boot/ to /boot and then?
IMHO will ipfire not start after reboot when the new kernel isn’t install with update-grub.
Greetings

Olaf

I’m also interested in adding support for rtl8812au driver into main kernel. I have a TP-link Archer T2U Nano AC600 USB Wireless adapter which I want to use it as an AP. There are many wifi devices using this driver https://deviwiki.com/wiki/Special:Ask?title=Special%3AAsk&q=[[Chip1+model::RTL8812AU]]&po=%3FInterface %3FForm+factor=FF %3FInterface+connector+type=USB+conn.

It is a pity that user requests are not really dealt with or that the user is left hanging in the event of problems. I’m really very disappointed.

I don’t understand why you are disappointed.

Arne answered your question regarding what you will need to do (copy the whole kernel) and he even said that this driver will be integrated at some time.

What more can you want?

This is a support forum where people help each other to configure IPFire…

3 Likes

No, if I just copy the kernel, ipfire will not start. If I copy the kernel and initramfs, ipfire will not start, too. Then when I update grub configuration the new kernel has no modules at all that are signed. When I asked how I can integrate the kernel correctly, there was no answer.
I built some kernels myself and actually have no problems with that. But never signed. The request for the module is now 2 years ago and nothing has solved. Even if other users (in the old forum and also here) givin a nitice that they want the module, there is not even an answer. That is the sad thing.

1 Like