Skip to content

Instantly share code, notes, and snippets.

@sbueringer

sbueringer/dkms-module-signing.md

Forked from dojoe/dkms-module-signing.md
Created October 16, 2019 04:22
Show Gist options
  • Save sbueringer/bd8cec239c44d66967cf307d808f10c4 to your computer and use it in GitHub Desktop.
Save sbueringer/bd8cec239c44d66967cf307d808f10c4 to your computer and use it in GitHub Desktop.
Download ZIP
Make DKMS sign kernel modules on installation, with full script support and somewhat distro independent
Raw
dkms-module-signing.md

On systems with UEFI Secure Boot enabled, recent Linux kernels will only load signed modules, so it's about time DKMS grew the capability to sign modules it's building.

These scripts are extended and scriptified variants of https://computerlinguist.org/make-dkms-sign-kernel-modules-for-secure-boot-on-ubuntu-1604.html and https://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur/768310#768310 and add some error checking, a passphrase around your signing key, and support for compressed modules.

dkms-sign-module is a wrapper for the more generic sign-modules which can also be used outside of DKMS.

Installation

  1. Create a directory under /root, say /root/module-signing, put the three scripts below in there and make them executable: chmod u+x one-time-setup sign-modules dkms-sign-module
  2. Run one-time-setup
  3. Reboot your computer to deploy the MOK
  4. For each module you will want to sign via DKMS, create a file /etc/dkms/<module_name>.conf with the following content: 
    POST_BUILD=../../../../../../root/module-signing/dkms-sign-module
    The awkward relative pathname is important since DKMS prepends its own path to it, so an absolute path will not work.
Raw
dkms-sign-module
#!/bin/bash
export PROMPT="Enter Machine Owner Key (MOK) passphrase to sign $module $module_version: "
export KERNELVER=$kernelver
$(dirname $0)/sign-modules ../$kernelver/$arch/module/*.ko*
Raw
one-time-setup
#!/bin/bash
mydir=$(dirname $0)
echo "I am about to generate the Machine Owner Key (MOK)."
echo "The passphrase you enter for this key will be required every time you want to sign a module."
read -p "Please press Return to go on..."
openssl req -new -x509 -newkey rsa:2048 -keyout $mydir/MOK.priv -outform DER -out $mydir/MOK.der -days 36500 -subj "/CN=$(hostname) module signing key/" || exit 1
echo
echo "Now I will import the generated key into the secure keystore."
echo "The passphrase you will enter is only required once, during the following reboot."
read -p "Please press Return to go on..."
mokutil --import $mydir/MOK.der || exit 1
echo
echo "Please reboot your computer now to complete the enrollment of your new MOK."
echo "This is going to look somewhat similar to https://sourceware.org/systemtap/wiki/SecureBoot"
Raw
sign-modules
#!/bin/bash
if [[ -z "$1" ]]; then
echo "Usage: $0 module [module...]"
exit 1
fi
mydir=$(dirname $0)
PROMPT="${PROMPT:-Enter Machine Owner Key (MOK) passphrase: }"
KERNELVER=${KERNELVER:-$(uname -r)}
read_passphrase() {
# We write to /dev/tty to get around DKMS' redirection to /dev/null if it's being run with -q (e.g. during rpm installs)
echo -n "$PROMPT" > /dev/tty
read -s KBUILD_SIGN_PIN < /dev/tty
export KBUILD_SIGN_PIN
echo > /dev/tty
openssl rsa -check -noout -passin env:KBUILD_SIGN_PIN -in $mydir/MOK.priv > /dev/null 2>&1
}
do_sign() {
/lib/modules/$KERNELVER/build/scripts/sign-file sha256 $mydir/MOK.priv $mydir/MOK.der "$1"
}
while ! read_passphrase; do echo "Wrong passphrase, please try again."; done
for module in $@; do
echo "Signing module: $module"
module_basename=${module:0:-3}
module_suffix=${module: -3}
if [[ "$module_suffix" == ".xz" ]]; then
unxz $module
do_sign $module_basename
xz -f $module_basename
elif [[ "$module_suffix" == ".gz" ]]; then
gunzip $module
do_sign $module_basename
gzip -9f $module_basename
else
do_sign $module
fi
done
@MatiasFS99
Copy link

Work perfect on debian 11 installing the rtl8821ce module, this tutorial saved me from disabling the secure boot

@siddhpant
Copy link

On 31 Mar 2022 16:15 +0530, @eike-fokken wrote:

On 17 Oct 2021 0343 +0530, @sprshp wrote:

With Debian 11 using dkms 2.8 (or Debian 10 with the backported package) there is a build-in function +1
enable it in /etc/dkms/framework.conf: uncomment line "sign_tool="/etc/dkms/sign_helper.sh""
eventually tweak the /etc/dkms/sign_helper.sh to match your signature.

Have you used this procedure? I fail to get it to work, apparently because I am not prompted for a password for my mok:

Building initial module for 5.16.0-5-amd64
At main.c:163:
- SSL error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad password read: ../crypto/pem/pem_pkey.c:64

You can make use of keyrings. It is very easy, I detail it here: https://gist.github.com/siddhpant/19c07b07d912811f5a4b2893ca706c99

@SaBenBurra
Copy link

Not works with rtl8821ce module (Fedora 36)

@enigma131
Copy link

Signature is automatic from dkms-3.0.10

@Roblex09
Copy link

Works on fedora 39 with the rtl8821ce modul. Tysm :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment