The default signed Linux kernel on Ubuntu (>=16.04.x), Fedora and perhaps on other distributions as well, won't load unsigned external kernel modules if Secure Boot is enabled on UEFI systems. Hence, any external kernel modules like the proprietary Nvidia kernel driver, Oracle VM VirtualBox's host/guest kernel driver etc. won't work.
External kernel modules must be signed for UEFI Secure Boot using a Machine Owner Key (MOK). This is useful if you can't or don't wish to disable Secure Boot on your UEFI-enabled system.
UEFI Secure Boot Sign Tool can be used to sign kernel modules. Essentially, it is a wrapper around the sign-file binary in the kernel sources.
The systemd service can be enabled to automatically sign specific kernel modules with user's own once setup is complete.
Fedora Dependencies:
- kernel-devel
- mokutil
- openssl
- Any text editor
Extract/Install the files in their respective locations. Download installation script from the releases page and run install.sh as root.
# ./install.sh
Generate a X.509 Key Pair as the UEFI Secure Boot Machine Owner Key.
$ openssl req -new -x509 -newkey rsa:2048 -keyout "/etc/sb-signtool/keyfiles/sb.priv" -outform DER -out "/etc/sb-signtool/keyfiles/sb_pub.der" -nodes -days 36500 -subj "/CN=<your name>/"
# mokutil --import "/etc/sb-signtool/sb_pub.der"
Must edit the following file before running script:
/etc/sb-signtool/modules.conf
You can check out an example file in the documentation.
Must run the Signing Tool every time a kernel module is rebuilt or when a new kernel is installed. Or enable the systemd service to do that on boot.
# /usr/bin/sb-signtool-sign
# systemctl enable sb-signtool.service
- Packaging and distribution for Ubuntu, Fedora, Arch Linux etc.
Feel free to create GitHub Issues and issue Pull Requests to contribute to this project.
Code released under GNU General Public License v2.0.