Skip to content

Instantly share code, notes, and snippets.

@Era-Dorta
Last active July 9, 2024 14:08
Show Gist options
  • Save Era-Dorta/74a0040f50ae7987885a0bebe5eda1aa to your computer and use it in GitHub Desktop.
Save Era-Dorta/74a0040f50ae7987885a0bebe5eda1aa to your computer and use it in GitHub Desktop.
Sign kernel modules on Ubuntu, useful for Nvidia drivers in UEFI system
# VERY IMPORTANT! After each kernel update or dkms rebuild the modules must be signed again with the script
# ~/.ssl/sign-all-modules.sh
# Place all files in ~/.ssl folder
mkdir ~/.ssl
cd ~/.ssl
# Generate custom keys with openssl
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -subj "/CN=Owner/"
# Set more restrictive permisions as these are private keys
chmod 600 MOK.*
# Add the sign-all-modules script to the .ssl folder
cat <<EOT > sign-all-modules.sh
#!/bin/bash
sudo -v
echo "Signing the following modules"
for filename in /lib/modules/\$(uname -r)/updates/dkms/*.ko; do
sudo /usr/src/linux-headers-\$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der \$filename
echo "\$filename"
done
EOT
chmod +x ~/.ssl/sign-all-modules.sh
#Run the script
~/.ssl/sign-all-modules.sh
#Add the key to the trusted keys database
sudo apt-get install mokutil
sudo mokutil --import ~/.ssl/MOK.der
cd ~
#Reboot and in the boot screen select add/import key
@boospy
Copy link

boospy commented Dec 27, 2018

Hello @Garoe, sorry for the late answer, didn't get an notification from github. So the problem exists. Strange, i've installed only one kernel. And nvidiadrivers are installed and loaded. I had a lot of kernelupdates in the past, and never had a probem with your script, it was working fine a long time :) maybe i can set some paths.... or other options to solve the problem?

@Era-Dorta
Copy link
Author

Try running locate nvidia_*.ko, where you substitute the * with the nvidia driver version that you have installed, for example locate nvidia_387.ko. That should tell you where the modules are located, then all you need to do is, to substitute the path in line 22 (line 6 on the sign-all-modules.sh file) with your path.

P.S. I use https://giscus.co/ to get email notifications for gist comments.

@boospy
Copy link

boospy commented Feb 9, 2019

I've changed the path in the script, not it is working again:

#!/bin/bash

sudo -v

echo "Signing the following modules"

for filename in /lib/modules/$(uname -r)/updates/*.ko; do
    sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der $filename

    echo "$filename"
done

for filename in /lib/modules/$(uname -r)/kernel/drivers/char/drm/*.ko; do
    sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der $filename

    echo "$filename"
done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment