The following guide will help you use DKMS kernel modules on Fedora Linux without disabling Secure Boot. Once configured, this will automatically sign modules as they are updated.
-
Make sure that no DKMS driver packages are installed, and that the packages
dkms,opensslandmokutilare installed and Secure Boot is enabled.sudo dnf install dkms openssl mokutil
-
Start by becoming root with
sudo -i. -
Generate the key and certificate.
openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS modules" \ -newkey rsa:2048 -keyout /root/dkms.key \ -outform DER -out /root/dkms.der -
Enroll the public key.
mokutil --import /root/dkms.derYou'll be prompted to create a password. Enter it twice.
-
Reboot the computer. At boot you'll see the MOK Manager EFI interface. Press any key to enter it.
- "Enroll MOK"
- "Continue".
- "Yes".
- Enter the password you set up just now.
- Select "OK" and the computer will reboot again.
-
Edit
/etc/dkms/framework.confand uncomment the following line:sign_tool="/etc/dkms/sign_helper.sh"
Lastly, install your desired DKMS driver.
PS & FYI : after searching around a bit it seems that from
dkmsv3 the signing is automatic, so what was left was to make sure that the generated keys are found by the framework. After placing adding a drop-in at/etc/dkms/framework.conf.d/01-custom.confwith the followingthe module appears to get loaded correctly (still need to try it with the Coral TPU)