-
-
Save therustmonk/da73168f2373d8f2ad34d03ad8e313b4 to your computer and use it in GitHub Desktop.
Sign Intel SGX kernel modules on Fedora (UEFI Secure Boot)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # VERY IMPORTANT! After each kernel update or dkms rebuild the modules must be signed again with the script | |
| # ~/.ssl/sign-all-modules.sh | |
| # Place all files in ~/.ssl folder | |
| mkdir ~/.ssl | |
| cd ~/.ssl | |
| # Generate custom keys with openssl | |
| openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -subj "/CN=Owner/" | |
| # Set more restrictive permisions as these are private keys | |
| chmod 600 MOK.* | |
| # Add the sign-all-modules script to the .ssl folder | |
| cat <<EOT > sign-all-modules.sh | |
| #!/bin/bash | |
| sudo -v | |
| echo "Signing the following sgx modules" | |
| for filename in /lib/modules/$(uname -r)/kernel/drivers/intel/sgx/*.ko; do | |
| sudo /usr/src/kernel/$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der $filename | |
| echo "$filename" | |
| done | |
| EOT | |
| chmod +x ~/.ssl/sign-all-modules.sh | |
| #Run the script | |
| ~/.ssl/sign-all-modules.sh | |
| #Add the key to the trusted keys database | |
| sudo apt-get install mokutil | |
| sudo mokutil --import ~/.ssl/MOK.der | |
| cd ~ | |
| #Reboot and in the boot screen select add/import key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment