DKMS auto-signing modules on install. Helpful when secure boot is on. Also contains v3 instructions.

dkms_sign.md

Requirements

• Bash
• DKMS
• keyring (install using pip as root)
• MOK signing key
• # touch /etc/dkms/framework.conf.d/signing.conf

---

DKMS prior to v3

Click here for mandatory steps:

 

In signing.conf, add the following line:

sign_tool="/etc/dkms/framework.conf.d/sign_helper.sh"

And then make /etc/dkms/framework.conf.d/sign_helper.sh having:

#!/bin/bash

MOK_PASS=$(keyring get uefi mok)

if [[ $? -ne 0 ]]; then
	keyring set uefi mok
	MOK_PASS=$(keyring get uefi mok)
fi

env KBUILD_SIGN_PIN=$MOK_PASS \
	/lib/modules/"$1"/build/scripts/sign-file \
		sha512 \
		/var/lib/shim-signed/mok/MOK.priv \
		/var/lib/shim-signed/mok/MOK.der \
		"$2"
# Where:
# 	$1 = Kernel version
# 	$2 = Built module location

After that, run sudo chmod +x sign_helper.sh to make it executable.

This has assumed your signing key is passphrase-protected. If not, you can remove lines 3 to 10.

That's it!

Now whenever it wants to sign, it will get the passphrase from the keyring.

If it doesn't exist already (or the keyring is locked), it will prompt for it once and add (or unlock), and then subsequently use it instead of asking repeatedly.

---

DKMS v3

DKMS introduced automatic signing support using sign_file in v3.

You have to set the mok_signing_key and mok_certificate variables listed in /etc/dkms/framework.conf to the locations of MOK signing key and certificate, respectively.

By default, DKMS assumes they are available under /var/lib/dkms as mok.key and mok.pub.

You may need to change to your distro defaults, especially if you are upgrading from previous version. For example, on Debian, signing.conf would have the following lines:

mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
mok_certificate="/var/lib/shim-signed/mok/MOK.der"

If your MOK signing key isn't passphrase-protected, you don't need to do anything else.

If your key is passphrase-protected, do the following:

 

In signing.conf, add the following line:

sign_file="/etc/dkms/framework.conf.d/sign_helper.sh"

And then make /etc/dkms/framework.conf.d/sign_helper.sh having:

#!/bin/bash

MOK_PASS=$(keyring get uefi mok)

if [[ $? -ne 0 ]]; then
	keyring set uefi mok
	MOK_PASS=$(keyring get uefi mok)
fi

env KBUILD_SIGN_PIN=$MOK_PASS \
	/lib/modules/"$kernelver"/build/scripts/sign-file \
		"$1" \
		"$2" \
		"$3" \
		"$4"
# Where:
# 	$1 = Hash algorithm; Here: sha512
# 	$2 = MOK signing key location
# 	$3 = MOK certificate location
# 	$4 = Built module location

After that, run sudo chmod +x sign_helper.sh to make it executable.

That's it!

Now whenever it wants to sign, it will get the passphrase from the keyring.

If it doesn't exist already (or the keyring is locked), it will prompt for it once and add (or unlock), and then subsequently use it instead of asking repeatedly.

---

If you don't want to use keyring because it needs UI by default, you can either configure it for headless use, or just get passphrase through standard ways like read everytime, or make a temporary file and storing passphrase in it, and then remembering to delete it later. Something like (I did not test this):

[...]

MOK_PASS_FILE="/tmp/mok_pass_file"

if [[ ! -f "$MOK_PASS_FILE" ]]; then
	# R/W on tty get around DKMS' possible redirection to /dev/null.
	# Idea from: https://gist.github.com/sbueringer/bd8cec239c44d66967cf307d808f10c4#file-sign-modules-L14
	echo -n "Enter MOK passphrase: " > /dev/tty
	read -s KBUILD_SIGN_PIN < /dev/tty

	# Create file which can be read only by root.
	touch "$MOK_PASS_FILE"
	chmod 600 "$MOK_PASS_FILE"
	sudo chown root:root "$MOK_PASS_FILE"

	# Save passphrase in the file.
	echo "$KBUILD_SIGN_PIN" | sudo tee "$MOK_PASS_FILE" > /dev/null
else
	KBUILD_SIGN_PIN="$(sudo cat $MOK_PASS_FILE)"
fi

[...]