Modprobe not permitted for custom package on UEFI with secure boot


I’m trying to install a custom drbd package on a SLES12 SP5 (drbd packages have been built on same SLES12SP5 kernel).
Everything works if server is on mode Legacy or UEFI without secure boot but, as soon as secure boot is activated, packages are installed but the “modprobe drbd” failed with the error “Operation not permitted”.

I saw an “old” workaround (linux kernel - modprobe fails with "Operation not permitted" - Unix & Linux Stack Exchange) but it’s no more possible : /proc/sysrq-trigger remains in read-only mode (even with root).

How can I activate this custom drbd ? (I see 2 options : deactivate the secure boot :frowning: or maybe sign the package ? ).
Any other way to do it ?


P.S: Packages are built using rpmbuild


I bring some news on this issue.
First, I managed to build and install the drbd packages on a VM with UEFI and secure boot.

During the building phase, I created a key with

openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout key.asc -out cert.der -outform der -nodes -days 4745 -subj “/CN=$USER/”

and just made a

modsign-repackage -c ./cert.der -k ./key.asc /usr/src/packages/RPMS/x86_64/drbd-kmp-default-9.0.24_k4.12.14_122.106-1.x86_64.rpm

During the installation, I add the drbd-kernel-ueficert package and it was done ! certificate was installed, after a reboot, the drbd module was usable… all was fine !

Why saying “was” ? because after some packages update (kernel and others), this does not work anymore.
The production process is the same but, when I’m trying to install the drbd-kernel-ueficert on targeted VM, I have an error:

(1/1) Installing: drbd-kernel-ueficert-9.0.24-1.x86_64 […done]
Additional rpm output:
Failed to get file status, **/etc/uefi/certs//etc/uefi/certs/**8B9756BA.crt.crt
Failed to import **/etc/uefi/certs//etc/uefi/certs/**8B9756BA.crt.crt
warning: %post(drbd-kernel-ueficert-9.0.24-1.x86_64) scriptlet failed, exit status 255

I don’t understand where this error on path comes from… moreover, the cert is well saved in /etc/uefi/certs/8B9756BA.crt

If someone has an explanation…
I can use a workaround by making a mokutil -i on this cert but the main goal of my product is to avoid any manual entry (and mokutil -i needs to enter a password for the mok management).