|
Balluff - BVS CA-BN Technical Documentation
|
UEFI SecureBoot is available on most modern x86 hardware and is used to ensure that only validated operating system binaries can be used. If you are using the BVS CA-BN camera on an ARM-based system please ignore the following section.
SecureBoot requires the Linux kernel and all loadable kernel modules to be signed using a digital signature saved on the system. Since the Balluff BVS CA-BN PCIe camera makes use of a kernel module which has been individually built for the system, this kernel module must also be signed in order to be loadable.
If you do not need UEFI SecureBoot protection it is advisable to turn it off in the BIOS settings for your PC. For details please see the BIOS documentation for your PC. In this case you can ignore the following section, since the Balluff kernel module will not need to be signed.
However, if you are unable to turn off SecureBoot or would like to continue using it then the kernel module will need to be signed after it has been built. The install script will try to do this using appropriate digital keys it finds on the system. In some cases you may need to install extra software on the PC and reinstall Impact Acquire using the install script or you may want to use your own digital keys to sign the kernel module.
In all cases you will have to register the key used with each PC individually, unless this has already been done with a key pair for which you have the private key (see below).
The following section describes how to install and use keys supplied by Debian-based distributions such as Ubuntu. Other Linux distributions may have similar packages that contain keys - please refer to your distribution's documentation.
The Balluff Impact Acquire install script attempts to use keys found in the directory "/var/lib/shim-signed/mok". If this directory or the keys "MOK.priv" and "MOK.der" do not exist on your system please try installing this package: "shim-signed"
Afterwards, reinstall Impact Acquire using the install script. The tool called "kmodsign" and the keys "MOK.priv" and "MOK.der" will be used automatically after building the kernel module.
Alternatively you can sign the kernel module yourself, by hand, using your own keys or those supplied by "shim-signed". An example of signing a kernel-module is shown below. Substitute your own keys and their locations, if required.
Debian and Ubuntu use a tool called "mokutil" to import a key for registration on a system. This action is only needed once per key on each PC.
The command to use looks like this (substitute your own key and its location, if required):
You will be asked to provide a one-time password. Choose anything you like, but take note of what you have chosen!
The next time your PC is restarted and before the Linux kernel boots a program called "MokManager" will be started. You will be presented with a blue box asking if you want to administer the keys on the system. Choose the option to do this and then follow the instructions on the screen to register your key. You will be asked to provide your one-off password that you used with "mokutil"!
Once the key has been successfully registered the kernel will boot and it will be possible to load any kernel modules that have been signed using this key.
