Skip to content

Instantly share code, notes, and snippets.

View dasunsrule32's full-sized avatar

Aaron Echols dasunsrule32

  • Arizona State University
  • Jacksonville, FL
View GitHub Profile
@dasunsrule32
dasunsrule32 / dkms-module-signing.md
Created July 25, 2021 21:51 — forked from sbueringer/dkms-module-signing.md
Make DKMS sign kernel modules on installation, with full script support and somewhat distro independent

On systems with UEFI Secure Boot enabled, recent Linux kernels will only load signed modules, so it's about time DKMS grew the capability to sign modules it's building.

These scripts are extended and scriptified variants of https://computerlinguist.org/make-dkms-sign-kernel-modules-for-secure-boot-on-ubuntu-1604.html and https://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur/768310#768310 and add some error checking, a passphrase around your signing key, and support for compressed modules.

dkms-sign-module is a wrapper for the more generic sign-modules which can also be used outside of DKMS.

Installation

  1. Create a directory under /root, say /root/module-signing, put the three scripts below in there and make them executable: chmod u+x one-time-setup sign-modules dkms-sign-module

Keybase proof

I hereby claim:

  • I am dasunsrule32 on github.
  • I am asu_echols (https://keybase.io/asu_echols) on keybase.
  • I have a public key ASD3o8YMRsvEPGXkbnoHP6Te9sU4gL7Iw5QNXcmNb-Dixgo

To claim this, I am signing this object: