Last active
July 9, 2024 14:08
-
-
Save Era-Dorta/74a0040f50ae7987885a0bebe5eda1aa to your computer and use it in GitHub Desktop.
Sign kernel modules on Ubuntu, useful for Nvidia drivers in UEFI system
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # VERY IMPORTANT! After each kernel update or dkms rebuild the modules must be signed again with the script | |
| # ~/.ssl/sign-all-modules.sh | |
| # Place all files in ~/.ssl folder | |
| mkdir ~/.ssl | |
| cd ~/.ssl | |
| # Generate custom keys with openssl | |
| openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -subj "/CN=Owner/" | |
| # Set more restrictive permisions as these are private keys | |
| chmod 600 MOK.* | |
| # Add the sign-all-modules script to the .ssl folder | |
| cat <<EOT > sign-all-modules.sh | |
| #!/bin/bash | |
| sudo -v | |
| echo "Signing the following modules" | |
| for filename in /lib/modules/\$(uname -r)/updates/dkms/*.ko; do | |
| sudo /usr/src/linux-headers-\$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der \$filename | |
| echo "\$filename" | |
| done | |
| EOT | |
| chmod +x ~/.ssl/sign-all-modules.sh | |
| #Run the script | |
| ~/.ssl/sign-all-modules.sh | |
| #Add the key to the trusted keys database | |
| sudo apt-get install mokutil | |
| sudo mokutil --import ~/.ssl/MOK.der | |
| cd ~ | |
| #Reboot and in the boot screen select add/import key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've changed the path in the script, not it is working again: