The following guide will help you use DKMS kernel modules on Fedora Linux without disabling Secure Boot. Once configured, this will automatically sign modules as they are updated.
-
Make sure that no DKMS driver packages are installed, and that the packages
dkms
,openssl
andmokutil
are installed and Secure Boot is enabled.sudo dnf install dkms openssl mokutil
-
Start by becoming root with
sudo -i
. -
Generate the key and certificate.
openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS modules" \ -newkey rsa:2048 -keyout /root/dkms.key \ -outform DER -out /root/dkms.der
-
Enroll the public key.
mokutil --import /root/dkms.der
You'll be prompted to create a password. Enter it twice.
-
Reboot the computer. At boot you'll see the MOK Manager EFI interface. Press any key to enter it.
- "Enroll MOK"
- "Continue".
- "Yes".
- Enter the password you set up just now.
- Select "OK" and the computer will reboot again.
-
Edit
/etc/dkms/framework.conf
and uncomment the following line:sign_tool="/etc/dkms/sign_helper.sh"
Lastly, install your desired DKMS driver.
Hi, thanks for the guide, I'm trying to install the
gasket-dkms
from your copr on F39 - however it fails, I suspect due to the last step in this guide, because thesign_tool
line is not in theframework.conf
file and neither does thesign_helper.sh
script exist (anymore).do you maybe have any ideas?