lttng: Unable to list kernel events: Kernel tracer not available

Question

Currently running a CENTOS 7 machine trying to install lttng-tools and lttng-modules.

I am going through the steps required to get lttng setup on my machine located at http://lttng.org/docs/v2.9/ and am experiencing issues with just about every step along the way. My issue right now is getting lttng-modules installed. I tried running the set of commands provided to install lttng-modules:

cd $(mktemp -d) &&
wget http://lttng.org/files/lttng-modules/lttng-modules-latest2.9.tar.bz2 &&
tar -xf lttng-modules-latest-2.9.tar.bz2 &&
cd lttng-modules-2.9.* &&
make &&
sudo make modules_install &&
sudo depmod -a

To which I received errors "Can't read private key" followed by INSTALL /probe/path/name/probe_name.ko for an entire list of probes. I read through the readme and made sure that the OS config variable dependencies were properly set. From here, I am completely unsure and any help would be appreciated.

A snippet of the terminal output is as follows:

Can't read private key  
  INSTALL /tmp/tmp.frbWYvVaL8/lttng-modules-2.9.1/probes/lttng-probe-x86-exceptions.ko  
Can't read private key 
  INSTALL /tmp/tmp.frbWYvVaL8/lttng-modules-2.9.1/probes/lttng-probe-x86-irq-vectors.ko  
Can't read private key  
  INSTALL /tmp/tmp.frbWYvVaL8/lttng-modules-2.9.1/tests/lttng-clock-plugin-test.ko  
Can't read private key   
  INSTALL /tmp/tmp.frbWYvVaL8/lttng-modules-2.9.1/tests/lttng-test.ko  
Can't read private key  
  DEPMOD  3.10.0-327.el7.x86_64  
make[1]: Leaving directory `/usr/src/kernels/3.10.0-327.el7.x86_64' 

Answer 1

This sounds like enabled Linux Module signing (Documented at http://lxr.free-electrons.com/source/Documentation/module-signing.txt?v=4.8), which usually is turned on on modern UEFI Secureboot-enabled systems. Your bootloader (shim-signed or other) is signed with some UEFI-preinstalled (trusted) OEM/KEK key, shim have some OS vendor keys preinstalled, and the vendor's kernel and modules are signed with OS vendor key (more at https://wiki.ubuntu.com/SecurityTeam/SecureBoot). Your kernel probably has CONFIG_MODULE_SIG_FORCE enabled (as it was done in ubuntu https://askubuntu.com/questions/755238), and will not load unsigned module (or module signed with non-trusted key).

If you are not author of your OS distribution, you have no OS vendor private key to sign modules. And the message says that you have no any key to sign module with.

You have several variants:

• Try to find the needed module in your OS (prebuild and signed by your OS vendor). If there is no required module, try asking OS vendor to include it (or pay them money for signing your module with their key). (RedHat with help of EfficiOS did some lttng for RHEL7 in 2015: https://developers.redhat.com/blog/2015/07/09/lttng-packages-available-for-rhel-7/ "LTTng Packages now Available for Red Hat Enterprise Linux 7" - probably still posted on packages.efficios.com portal and probably compatible with CentOS)
• Make your own key hierarchy. You can't add any key into the kernel binary signed by vendor, but kernel will allow you to use your MOK key to sign modules. So you need to create your key, install it into shim with mokutil, (it will be added to kernel as trusted if recorded in hardware store - UEFI key database), sign new modules with it (original kernel and OS modules will work with OS vendor key).
• UNSAFE: disable secure boot and use (custom compiled?) kernel with module signing required and with your own key registered as trusted (it should be listed in cat /proc/keys or keyctl list %:.system_keyring), and sign all modules of the kernel
• UNSAFE, not recommended and only can be used as temporary solution on testing PC: disable secure boot and use (custom compiled or from OS vendor if it has such version) kernel with module signing disabled (disable CONFIG_MODULE_SIG_FORCE).

There are some manuals from OS vendors about module signing:

• https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html "The Fedora distribution includes signed boot loaders, signed kernels, and signed kernel modules. In addition, the signed first-stage boot loader and the signed kernel include embedded Fedora public keys...These sections also provide an overview of available options for getting your public key onto the target system where you want to deploy your kernel module."
• https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html "When Secure Boot is enabled, the EFI operating system boot loaders, the Red Hat Enterprise Linux kernel, and all kernel modules must be signed with a private key and authenticated with the corresponding public key. The Red Hat Enterprise Linux 7 distribution includes signed boot loaders, signed kernels, and signed kernel modules. In addition, the signed first-stage boot loader and the signed kernel include embedded Red Hat public keys. .. These sections also provide an overview of available options for getting your public key onto the target system where you want to deploy your kernel module."