-
-
Save Era-Dorta/74a0040f50ae7987885a0bebe5eda1aa to your computer and use it in GitHub Desktop.
# VERY IMPORTANT! After each kernel update or dkms rebuild the modules must be signed again with the script | |
# ~/.ssl/sign-all-modules.sh | |
# Place all files in ~/.ssl folder | |
mkdir ~/.ssl | |
cd ~/.ssl | |
# Generate custom keys with openssl | |
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -subj "/CN=Owner/" | |
# Set more restrictive permisions as these are private keys | |
chmod 600 MOK.* | |
# Add the sign-all-modules script to the .ssl folder | |
cat <<EOT > sign-all-modules.sh | |
#!/bin/bash | |
sudo -v | |
echo "Signing the following modules" | |
for filename in /lib/modules/\$(uname -r)/updates/dkms/*.ko; do | |
sudo /usr/src/linux-headers-\$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der \$filename | |
echo "\$filename" | |
done | |
EOT | |
chmod +x ~/.ssl/sign-all-modules.sh | |
#Run the script | |
~/.ssl/sign-all-modules.sh | |
#Add the key to the trusted keys database | |
sudo apt-get install mokutil | |
sudo mokutil --import ~/.ssl/MOK.der | |
cd ~ | |
#Reboot and in the boot screen select add/import key |
@boospy, it looks like the script didn't find any .ko files to sign. The location for them is still the same on Ubuntu 18.04. Maybe the nvidia drivers were not installed for that particular kernel. Note that the script tries to sign the files for the kernel that is running at the moment, not the most recent one. So most of the times, you'd need to reboot twice, once to get into the most recent kernel and sign the modules there and another to boot with the signed modules. Let me know if that helps.
Hello @Garoe, sorry for the late answer, didn't get an notification from github. So the problem exists. Strange, i've installed only one kernel. And nvidiadrivers are installed and loaded. I had a lot of kernelupdates in the past, and never had a probem with your script, it was working fine a long time :) maybe i can set some paths.... or other options to solve the problem?
Try running locate nvidia_*.ko
, where you substitute the *
with the nvidia driver version that you have installed, for example locate nvidia_387.ko
. That should tell you where the modules are located, then all you need to do is, to substitute the path in line 22 (line 6 on the sign-all-modules.sh file) with your path.
P.S. I use https://giscus.co/ to get email notifications for gist comments.
I've changed the path in the script, not it is working again:
#!/bin/bash
sudo -v
echo "Signing the following modules"
for filename in /lib/modules/$(uname -r)/updates/*.ko; do
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der $filename
echo "$filename"
done
for filename in /lib/modules/$(uname -r)/kernel/drivers/char/drm/*.ko; do
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der $filename
echo "$filename"
done
Since last kernelupdate on Ubuntu 18.04 it didn't work anymore...
Maybe you have an idea?