Sign NVIDIA kernel modules genreated by akmods

akmod-sign-modules.sh

#!/bin/bash

# Script based on https://github.com/larsks/akmod-sign-modules. Use the systemd 
# drop-in to call this script during akmods@${KERNEL_VERSION}.service
#
# Compression support based on https://unix.stackexchange.com/questions/438954/signing-a-compressed-kernel-module-for-use-with-secure-boot
#
# See also https://gist.github.com/xenithorb/df08970b9e70bb3c6576e1fd91460afe

set -eu

if [[ -z $1 ]]; then
  "usage: $0 <kernel_version>"
  exit 1
fi

KERNEL_VER=$1

: ${MOK_KEY:=/etc/pki/tls/mok/mok.key}
: ${MOK_CRT:=/etc/pki/tls/mok/mok.der}
: ${MOK_HASH:=sha256}
: ${SIGN_FILE_BINARY:=/usr/src/kernels/${KERNEL_VER}/scripts/sign-file}

echo "Signing nvidia modules for kernel version $KERNEL_VER"

for MODULE in $(dirname $(modinfo -n nvidia -k $KERNEL_VER))/*.ko*; do
  MODULE_BASENAME=${MODULE:0:-3}
  MODULE_SUFFIX=${MODULE: -3}
  if [[ "$MODULE_SUFFIX" == ".xz" ]]; then
      unxz "${MODULE}"
      echo "${SIGN_FILE_BINARY}" "${MOK_HASH}" "${MOK_KEY}" "${MOK_CRT}" "${MODULE_BASENAME}"
      "${SIGN_FILE_BINARY}" "${MOK_HASH}" "${MOK_KEY}" "${MOK_CRT}" "${MODULE_BASENAME}"
      xz -f "${MODULE_BASENAME}"
   elif [[ "$MODULE_SUFFIX" == ".gz" ]]; then
      gunzip ${MODULE}
      echo "${SIGN_FILE_BINARY}" "${MOK_HASH}" "${MOK_KEY}" "${MOK_CRT}" "${MODULE_BASENAME}"
      "${SIGN_FILE_BINARY}" "${MOK_HASH}" "${MOK_KEY}" "${MOK_CRT}" "${MODULE_BASENAME}"
      gzip -9f "${MODULE_BASENAME}"
   else
      "${SIGN_FILE_BINARY}" "${MOK_HASH}" "${MOK_KEY}" "${MOK_CRT}" "${MODULE_BASENAME}"
  fi
done