On systems with UEFI Secure Boot enabled, recent Linux kernels will only load signed modules, so it's about time DKMS grew the capability to sign modules it's building.
These scripts are extended and scriptified variants of https://computerlinguist.org/make-dkms-sign-kernel-modules-for-secure-boot-on-ubuntu-1604.html and https://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur/768310#768310 and add some error checking, a passphrase around your signing key, and support for compressed modules.
dkms-sign-module
is a wrapper for the more generic sign-modules
which can also be used outside of DKMS.
- Create a directory under
/root
, say/root/module-signing
, put the three scripts below in there and make them executable:chmod u+x one-time-setup sign-modules dkms-sign-module
- Run
one-time-setup
- Reboot your computer to deploy the MOK
- For each module you will want to sign via DKMS, create a file
/etc/dkms/<module_name>.conf
with the following content:
The awkward relative pathname is important since DKMS prepends its own path to it, so an absolute path will not work.POST_BUILD=../../../../../../root/module-signing/dkms-sign-module
With Debian 11 using dkms 2.8 (or Debian 10 with the backported package) there is a build-in function 👍
enable it in /etc/dkms/framework.conf:
uncomment line "sign_tool="/etc/dkms/sign_helper.sh""
eventually tweak the /etc/dkms/sign_helper.sh to match your signature.