|# VERY IMPORTANT! After each kernel update or dkms rebuild the modules must be signed again with the script|
|# Place all files in ~/.ssl folder|
|# Generate custom keys with openssl|
|openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -subj "/CN=Owner/"|
|# Set more restrictive permisions as these are private keys|
|chmod 600 MOK.*|
|# Add the sign-all-modules script to the .ssl folder|
|cat <<EOT > sign-all-modules.sh|
|echo "Signing the following modules"|
|for filename in /lib/modules/\$(uname -r)/updates/dkms/*.ko; do|
|sudo /usr/src/linux-headers-\$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der \$filename|
|chmod +x ~/.ssl/sign-all-modules.sh|
|#Run the script|
|#Add the key to the trusted keys database|
|sudo apt-get install mokutil|
|sudo mokutil --import ~/.ssl/MOK.der|
|#Reboot and in the boot screen select add/import key|
Very helpful. Thanks.
For anyone installing nvidia driver from commandline without apt, the
After the failed installing, manually exec the
Lines 15-26 are a bit broken. They should look like this instead:
If you run your version more than once, then sign-all-modules.sh will be appended to instead of over written.
If you don't escape the
which is not the intended output and will not work when used to sign the kernel modules.
For what it's worth, the cat function wasn't working for me, and I'm relatively new to all of this so I just created the file in nano and pasted the script without the
Pasted script, wrote it out.
chmod +x ~/.ssl/sign-all-modules.sh
Since last kernelupdate on Ubuntu 18.04 it didn't work anymore...
Maybe you have an idea?
@boospy, it looks like the script didn't find any .ko files to sign. The location for them is still the same on Ubuntu 18.04. Maybe the nvidia drivers were not installed for that particular kernel. Note that the script tries to sign the files for the kernel that is running at the moment, not the most recent one. So most of the times, you'd need to reboot twice, once to get into the most recent kernel and sign the modules there and another to boot with the signed modules. Let me know if that helps.
Hello @Garoe, sorry for the late answer, didn't get an notification from github. So the problem exists. Strange, i've installed only one kernel. And nvidiadrivers are installed and loaded. I had a lot of kernelupdates in the past, and never had a probem with your script, it was working fine a long time :) maybe i can set some paths.... or other options to solve the problem?
P.S. I use https://giscus.co/ to get email notifications for gist comments.
I've changed the path in the script, not it is working again: