Module kvdo cannot be loaded with Secure Boot enabled

Trying to setup deduplication with VDO, I’m running into an issue while loading kvdo kernel module in Rocky Linux 9.

modprobe: ERROR: could not insert 'kvdo': Key was rejected by service

I have secure boot enabled on my host and listing info for kvdo module shows it is not signed.

filename:       /lib/modules/5.14.0-427.37.1.el9_4.x86_64/weak-updates/kmod-kvdo/vdo/kvdo.ko
version:        8.2.3.3
license:        GPL
author:         Red Hat, Inc.
description:    device-mapper target for transparent deduplication
description:    LZ4 compressor
license:        Dual BSD/GPL
rhelversion:    9.4
srcversion:     3748594DCFDAFFE76EBB0A9
depends:        dm-mod,dm-bufio
retpoline:      Y
name:           kvdo
vermagic:       5.14.0-427.el9.x86_64 SMP preempt mod_unload modversions

Is this a bug or is there a solution to use VDO in Rocky Linux without disabling secure boot?

You have to enroll the cert for the module with the mokutil tool then reboot to complete the enrollment with the firmware. If you browse to /etc/pki/akmods/ you should see two files with one being a link “publickey.der” to the akmod generated puplic key <hostname.domainname>-randomnumber.der

sudo mokutil -i /etc/pki/akmods/certs/public_key.der

It will ask you to create a one time password that you will be prompted for by the system firmware once you reboot. On my lenovo laptop apon reboot you will be asked to enroll the cert. On my Rocky server the enrollment process occurs within the firmware “F1” at boot.

The kernel module is from package kmod-kvdo that is in Rocky’s baseos repo.
Therefore, it should be signed by Rocky and the machine should already have Rocky’s cert.

But after checking more thoroughly as the OP did with modinfo I found like the OP that it is not signed and is worth a bug report. It is possible to self sign it and the fact that it is not compressed like most other distro modules makes that process easier but is still tedious.