Secure Boot: module signing with DKMS

[umlaeute]

When secure boot is enabled, modules must be signed - otherwise the kernel will refuse to load them.
How?

[umlaeute]

For your convenience, the build system provides as sign target.

Prerequisites

• a private key/public certificate pair for signing kernel modules
• the certificate must be known to the system

How to create and enroll a signing certificate is outside the scope of this document.
For Debian systems (and probably others), check out the documentation:

• Creating a signing key
• Enrolling the signing key

Simple usage

make sign

This assumes that the certificate/signing key are listed in /etc/dkms/framework.conf as mok_certificate resp. mok_signing_key.
It also assumes that these files are readable by the current user and do not require a password to unlock.

Advanced usage

You can manually pass the signing key and certificate to the build process via the KBUILD_SIGN_KEY and KBUILD_SIGN_CERT variables.
f your key requires a passphrase, provide it via an (exported) envvar KBUILD_SIGN_PIN.

If the key (and/or certificate) require super-user proviliges to be read, run the build process through sudo, but make sure to preserve the KBUILD_SIGN_PIN environment variable.

read -s -p "Passphrase for your signing key: " KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN
sudo --preserve-env=KBUILD_SIGN_PIN \
    make sign KBUILD_SIGN_CERT=/var/lib/shim-signed/mok/MOK.der KBUILD_SIGN_KEY=/var/lib/shim-signed/mok/MOK.priv