Skip to content

Instantly share code, notes, and snippets.

@KyleGospo

KyleGospo/guide.md Secret

Last active November 27, 2023 14:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save KyleGospo/9adbe078d1d7f160ae43c091df98f773 to your computer and use it in GitHub Desktop.
Save KyleGospo/9adbe078d1d7f160ae43c091df98f773 to your computer and use it in GitHub Desktop.
Download ZIP
Automatic Signing of DKMS-Generated Kernel Modules for Secure Boot under Fedora
Raw
guide.md

Automatic Signing of DKMS-Generated Kernel Modules for Secure Boot under Fedora

The following guide will help you use DKMS kernel modules on Fedora Linux without disabling Secure Boot. Once configured, this will automatically sign modules as they are updated.

Step 0. Prequisites

  • Make sure that no DKMS driver packages are installed, and that the packages dkms, openssl and mokutil are installed and Secure Boot is enabled.

    sudo dnf install dkms openssl mokutil

Step 1. Generating a MOK and Enrolling It in Secure Boot

  • Start by becoming root with sudo -i.

  • Generate the key and certificate.

    openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS modules" \
-newkey rsa:2048 -keyout /root/dkms.key \
-outform DER -out /root/dkms.der

  • Enroll the public key.

    mokutil --import /root/dkms.der

    You'll be prompted to create a password. Enter it twice.

  • Reboot the computer. At boot you'll see the MOK Manager EFI interface. Press any key to enter it.

    • "Enroll MOK"
    • "Continue".
    • "Yes".
    • Enter the password you set up just now.
    • Select "OK" and the computer will reboot again.

Step 2. Configuring DKMS to Sign Newly-Built Modules Automatically with the MOK.

  • Edit /etc/dkms/framework.conf and uncomment the following line:

    sign_tool="/etc/dkms/sign_helper.sh"

Lastly, install your desired DKMS driver.

@olifink
Copy link

olifink commented Nov 27, 2023

Hi, thanks for the guide, I'm trying to install the gasket-dkms from your copr on F39 - however it fails, I suspect due to the last step in this guide, because the sign_tool line is not in the framework.conf file and neither does the sign_helper.sh script exist (anymore).

do you maybe have any ideas?

@olifink
Copy link

olifink commented Nov 27, 2023

PS & FYI : after searching around a bit it seems that from dkms v3 the signing is automatic, so what was left was to make sure that the generated keys are found by the framework. After placing adding a drop-in at /etc/dkms/framework.conf.d/01-custom.conf with the following

mok_signing_key="/root/dkms.key"
mok_certificate="/root/dkms.der"

the module appears to get loaded correctly (still need to try it with the Coral TPU)

# dkms status
gasket/0.0.git.252.c41789f9, 6.5.12-300.fc39.x86_64, x86_64: installed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment