Your organization enforces UEFI Secure Boot on all developer workstations. After compiling a custom hardware-monitoring driver (dmon.ko) on a Fedora 39 system, the administrator attempts to load it and receives the error:
modprobe: ERROR: could not insert 'dmon': Key was rejected by service
The driver must be loaded while keeping Secure Boot enabled and without replacing the existing vendor keys. Which procedure accomplishes this requirement?
Enable CONFIG_ALLOW_UNSIGNED_MODULES at run time with sysctl to bypass signature checks for this boot only
Temporarily disable Secure Boot in firmware, load dmon.ko, and re-enable Secure Boot once the module is in memory
Sign dmon.ko with a locally generated X.509 key, use mokutil --import to enroll the corresponding certificate, confirm the MOK enrollment on reboot, then load the driver
Add the SHA-256 checksum of dmon.ko to /etc/modprobe.d/blacklist.conf so the kernel treats the file as trusted
Secure Boot accepts kernel modules only when they are signed with a key that the firmware trusts. The safest way to maintain Secure Boot while allowing a locally compiled module to load is to create an X.509 key pair, sign the module, and then add the public part of that key to the Machine Owner Key (MOK) list. The mokutil --import command queues the certificate for enrollment; after the next reboot the MOK Manager screens let an administrator confirm the change, and the key is added to the platform keyring so the signed module can be inserted. Disabling Secure Boot circumvents policy, placing the checksum in a modprobe file is ignored by the kernel's signature checker, and toggling CONFIG_ALLOW_UNSIGNED_MODULES at run time is impossible because that option is set at build time.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an X.509 key, and why is it used in this process?
Open an interactive chat with Bash
What does the mokutil --import command do in this context?
Open an interactive chat with Bash
Why can't Secure Boot be bypassed at runtime, and how does the Kernel enforce this?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access