Arch Linux User Repository

Adding

scripts/config --disable CONFIG_IMA_ARCH_POLICY

to myconfig does solve the "Failed to insert module 'nvidia': Key was rejected by service" problem.

Anyone who configured secure boot using sbctl and want to load dkms modules can try this solution.

This package have several variables to enable/disable features.

##
## The following variables can be customized at build time. Use env or export to change at your wish
##
##   Example: env _microarchitecture=98 use_numa=n use_tracers=n makepkg -sc
##
## Look inside 'choose-gcc-optimization.sh' to choose your microarchitecture
## Valid numbers between: 0 to 99
## Default is: 0 => generic
## Good option if your package is for one machine: 98 (Intel native) or 99 (AMD native)
if [ -z ${_microarchitecture+x} ]; then
  _microarchitecture=0
fi

## Disable NUMA since most users do not have multiple processors. Breaks CUDA/NvEnc.
## Archlinux and Xanmod enable it by default.
## Set variable "use_numa" to: n to disable (possibly increase performance)
##                             y to enable  (stock default)
if [ -z ${use_numa+x} ]; then
  use_numa=y
fi

## Since upstream disabled CONFIG_STACK_TRACER (limits debugging and analyzing of the kernel)
## you can enable them setting this option. Caution, because they have an impact in performance.
## Stock Archlinux has this enabled. 
## Set variable "use_tracers" to: n to disable (possibly increase performance, XanMod default)
##                                y to enable  (Archlinux default)
if [ -z ${use_tracers+x} ]; then
  use_tracers=n
fi

# Unique compiler supported upstream is GCC
## Choose between GCC and CLANG config (default is GCC)
## Use the environment variable "_compiler=clang"
if [ "${_compiler}" = "clang" ]; then
  _compiler_flags="CC=clang HOSTCC=clang LLVM=1 LLVM_IAS=1"
fi

# Choose between the 4 main configs for stable branch. Default x86-64-v1 which use CONFIG_GENERIC_CPU2:
# Possible values: config_x86-64-v1 (default) / config_x86-64-v2 / config_x86-64-v3 / config_x86-64-v4
# This will be overwritten by selecting any option in microarchitecture script
# Source files: https://github.com/xanmod/linux/tree/5.17/CONFIGS/xanmod/gcc
if [ -z ${_config+x} ]; then
  _config=config_x86-64-v1
fi

# Compress modules with ZSTD (to save disk space)
if [ -z ${_compress_modules+x} ]; then
  _compress_modules=n
fi

# Compile ONLY used modules to VASTLY reduce the number of modules built
# and the build time.
#
# To keep track of which modules are needed for your specific system/hardware,
# give module_db script a try: https://aur.archlinux.org/packages/modprobed-db
# This PKGBUILD read the database kept if it exists
#
# More at this wiki page ---> https://wiki.archlinux.org/index.php/Modprobed-db
if [ -z ${_localmodcfg} ]; then
  _localmodcfg=n
fi

# Tweak kernel options prior to a build via nconfig
if [ -z ${_makenconfig} ]; then
  _makenconfig=n
fi

Personally I'm running now xanmod kernel compiled with this:

env _microarchitecture=98 use_tracers=n use_numa=n _localmodcfg=y _compress_modules=y makepkg -sic

Also, you can now create the file myconfig in your local repo to build this package with a custom config or use ${XDG_CONFIG_HOME}/linux-xanmod/myconfig. This file can be a full kernel config or be a script with several entries to add/remove options (you have several examples in PKGBUILD by using scripts/config):

Code involved:

  for _myconfig in "${SRCDEST}/myconfig" "${HOME}/.config/linux-xanmod/myconfig" "${XDG_CONFIG_HOME}/linux-xanmod/myconfig" ; do
    if [ -f "${_myconfig}" ] && [ "$(wc -l <"${_myconfig}")" -gt "0" ]; then
      if grep -q 'scripts/config' "${_myconfig}"; then
        # myconfig is a partial file. Executing as a script
        msg2 "Applying myconfig..."
        bash -x "${_myconfig}"
      else
        # myconfig is a full config file. Replacing default .config
        msg2 "Using user CUSTOM config..."
        cp -f "${_myconfig}" .config
      fi
      echo
      break
    fi
  done

@anlorsp thank you.

@archdevlab sure. I'll add it in next release.

Adding

scripts/config --disable CONFIG_IMA_ARCH_POLICY

to myconfig does solve the "Failed to insert module 'nvidia': Key was rejected by service" problem.

Anyone who configured secure boot using sbctl and want to load dkms modules can try this solution.

Hi you should consider fixing tomoyo in the config file like linux-lqx package https://aur.archlinux.org/cgit/aur.git/commit/?h=linux-lqx&id=86bc172b309b60f09b27a6aacc6c0361d57f24de

@wustdsh Have you solved the problem? I also met the 'Key was rejected by service'. I have found this project: https://aur.archlinux.org/packages/arch-sign-modules, but I wonder if it helps.

@kingdomkind just pull the key you need: gpg --recv-keys XXXX

Hey guys, is this meant to be built skipping pgp verification? As i'm currently getting an error with that

I configured secure boot using sbctl. When using linux-xanmod, it can boot up normally but nvidia related modules don't load:

systemd-modules-load[143]: Failed to insert module 'nvidia': Key was rejected by service
systemd-modules-load[143]: Failed to insert module 'nvidia_modeset': Key was rejected by service
systemd-modules-load[143]: Failed to insert module 'nvidia_uvm': Key was rejected by service
systemd-modules-load[143]: Failed to insert module 'nvidia_drm': Key was rejected by service

As far as I know dkms automatically generates /var/lib/dkms/mok.key to signs modules, what if I tell dkms to sign nvidia modules using the key that was used to sign the built-in modules when compiling linux-xanmod? It probably doesn't help, in the same case extra/linux-zen is able to load nvidia, and I'm wondering what options the xanmod patch changed to cause this problem.

EDIT: Maybe CONFIG_IMA_ARCH_POLICY=y. The solution seems to be to use the kernel's built-in signatures as I mentioned, or to use slim? or to recompile to remove this option.

@Riedler yeah, I personally use only a reduced myconfig, so I didn't have to maintain a full config:

cat .config/linux-xanmod/myconfig      
scripts/config --enable CONFIG_IWLWIFI_DEBUG
scripts/config --module CONFIG_MMC_BLOCK
scripts/config --set-val MMC_BLOCK_MINORS 8
scripts/config --module CONFIG_SND_DMAENGINE_PCM
scripts/config --module CONFIG_SND_COMPRESS_OFFLOAD
scripts/config --module CONFIG_AC97_BUS
scripts/config --enable CONFIG_INPUT_TABLET
scripts/config --enable CONFIG_TRACING
scripts/config --enable CONFIG_KPROBE_EVENTS
scripts/config --enable CONFIG_BPF_EVENTS

@figue nothing too crazy I think. Not even sure if any of this goes through to linux-xanmod.

/etc/makepkg → https://pastebin.com/S5GJqpqZ

as for myconfig - yeah somewhat, see here: https://github.com/RiedleroD/dotfiles/blob/master/linux-xanmod.conf

I should probably stop using the myconfig, I don't have time to maintain the custom one anymore…