The following guide will help you use DKMS kernel modules on Fedora Linux without disabling Secure Boot. Once configured, this will automatically sign modules as they are updated.
-
Make sure that no DKMS driver packages are installed, and that the packages
dkms
,openssl
andmokutil
are installed and Secure Boot is enabled.sudo dnf install dkms openssl mokutil
-
Start by becoming root with
sudo -i
. -
Generate the key and certificate.
openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS modules" \ -newkey rsa:2048 -keyout /root/dkms.key \ -outform DER -out /root/dkms.der
-
Enroll the public key.
mokutil --import /root/dkms.der
You'll be prompted to create a password. Enter it twice.
-
Reboot the computer. At boot you'll see the MOK Manager EFI interface. Press any key to enter it.
- "Enroll MOK"
- "Continue".
- "Yes".
- Enter the password you set up just now.
- Select "OK" and the computer will reboot again.
-
Edit
/etc/dkms/framework.conf
and uncomment the following line:sign_tool="/etc/dkms/sign_helper.sh"
Lastly, install your desired DKMS driver.
PS & FYI : after searching around a bit it seems that from
dkms
v3 the signing is automatic, so what was left was to make sure that the generated keys are found by the framework. After placing adding a drop-in at/etc/dkms/framework.conf.d/01-custom.conf
with the followingthe module appears to get loaded correctly (still need to try it with the Coral TPU)