Signing kernel modules results in "Failed to start Load Kernel Modules"

Hi there, everyone. I’ve been running into a bit of an issue.

To give context, I am dualbooting EndeavourOS with Windows. On Windows, I have Valorant installed, which in case you don’t know about the anticheat for that game, it’s pretty strict, forcing secure boot for example. So I would like to have secure boot enabled so I can play the game whenever I feel like it.

Here’s my issue: in order to do that, I need a signed kernel and kernel modules. That’s okay in of itself, I followed the steps on Arch’s wiki to sign the kernel itself. What I’m struggling on is modules. When I sign the modules using this command, for example:

/usr/src/linux-zen/scripts/sign-file sha256 /etc/efi-keys/DB.key /etc/efi-keys/DB.crt /lib/modules/5.16.4-zen1-1-zen/kernel/drivers/block/zram/zram.ko.zst

The modules (zram which I used for swap & the nvidia modules that I signed) fail to load with this error:

tilda@phosphorus ~> sudo modprobe zram
modprobe: ERROR: could not insert 'zram': Invalid argument
tilda@phosphorus ~ [1]> 

I don’t know why this would happen - I did this on Fedora with 0 issues (but my Fedora install somehow hosed itself, so I made my way here instead).

Any responses appreciated. Thanks in advance!

1 Like

I think one approach would be to build the module into the initramfs so it can be signed that way. :thinking:

All the people I know who are implementing secure boot run Arch; some of them might be willing to help if you catch them on IRC.

Just solved my issue. For future records, I was overthinking it. On Fedora, I had to sign the nvidia modules for them to load, which doesn’t seem the case here.

People finding this thread via Google or otherwise: would recommend trying out shim using this guide on ArchWiki. Though maybe I’m thinking I will just write out a blog post because Secure Boot on Linux definitely deserves more documentation. T’was a pain, even on Fedora which has one of the better supports for it.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.