If you’ve encountered the error insmod: ERROR: could not insert module ch34x.ko: Key was rejected by service, you’re not alone. This error typically surfaces when you attempt to load a kernel module, like ch34x.ko, that hasn’t been signed with a key that your current Linux kernel accepts. It’s a common issue, especially on systems with Secure Boot enabled in UEFI firmware.
In this blog post, we’ll explore what causes this error and provide step-by-step instructions on how to resolve it.
Understanding the Error
Secure Boot is a security feature available on systems with UEFI firmware. Its primary purpose is to ensure that only trusted software, signed with a recognized key, can run during the boot process. When Secure Boot is enabled, the Linux kernel will only load modules that are signed with a key enrolled in the UEFI firmware.
The error message Key was rejected by service occurs because the kernel module ch34x.ko is not signed with a key that your system recognizes. There are two main ways to resolve this issue: disabling Secure Boot or signing the kernel module with a trusted key.
Step 1: Check if Secure Boot is Enabled
Before diving into the solutions, it’s important to confirm whether Secure Boot is enabled on your system:
- Reboot your system and enter the BIOS/UEFI settings. This can usually be done by pressing a specific key (like
F2,F10,Del, orEsc) during startup. - Navigate to the Security or Boot menu.
- Look for an option labeled Secure Boot. If it’s enabled, you’ll need to decide whether to disable it or proceed with signing the module.
Step 2: Disabling Secure Boot (Simpler Option)
If you don’t require Secure Boot for your system’s security requirements, the simplest solution is to disable it:
- In the BIOS/UEFI settings, locate the Secure Boot option and disable it.
- Save your changes and exit the BIOS/UEFI settings.
- After rebooting, attempt to load the module again using
insmodormodprobe:bashCopy
sudo insmod ch34x.koThis should resolve the issue in most cases. However, if you prefer to keep Secure Boot enabled, follow the steps below to sign the kernel module.
Step 3: Signing the Kernel Module (Advanced Option)
Signing the kernel module allows you to maintain the security benefits of Secure Boot while ensuring the module is accepted by the kernel.
Step 3a: Generate a Key Pair
First, generate a key pair that you will use to sign the module:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Your Name/"This command creates a private key (MOK.priv) and a certificate (MOK.der).
Step 3b: Sign the Module
Next, sign the kernel module with your newly created private key:
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 MOK.priv MOK.der ch34x.ko
This command signs the ch34x.ko module with the private key.
Step 3c: Enroll the Key
To ensure your system recognizes the signed module, you need to enroll the key with the system:
sudo mokutil --import MOK.derYou’ll be prompted to create a password, which will be needed in the next step.
Step 3d: Reboot and Enroll Key
Reboot your system. During the boot process, the Machine Owner Key (MOK) manager will prompt you to enroll the key:
- Select the option to Enroll MOK.
- Follow the instructions to complete the process using the password you set earlier.
Step 3e: Load the Module
Once the key is enrolled, you can load the module without encountering the error:
sudo insmod ch34x.koConclusion
By following these steps, you can successfully resolve the insmod: ERROR: could not insert module ch34x.ko: Key was rejected by service error. Whether you choose to disable Secure Boot or sign the kernel module, understanding the underlying cause of the error and how Secure Boot works will help you maintain control over your system’s security and functionality.