Signing your kernel modules on Ubuntu 16.04

I have an Asus UX3410UA laptop. To silence the fan I use ACPI calls to adjust the fan tipping point. See this. This needs the kernel module “acpi-call-dkms” for being able to run the “acpi_call” executable. If secure boot is enabled on a computer this module will not load if it is not signed and the proper keys are in the EFI. Here’s how to do both. The pages I got this from are here, here and here.


Generate a key for signing your kernel modules:

  • Run: “openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj “/CN=DKMS signing key/”” and input a good password you can remember.
  • Register the keys to Secure Boot: “sudo mokutil –import MOK.der”.
  • Check if registering worked: “mokutil –test-key MOK.der”.
  • Copy the keys to /root: “sudo mv MOK.* /root/”.

Reboot and add the key:

You will be presented a blue text screen. Choose “Enroll MOK”, then you can choose to view your key or just “Continue”. Choose “Yes” and input the password from before. Your key should be added now and you can reboot.

Set up automatic key signing:

  • Create a file “/etc/dkms/sign-kernel-objects.conf” with the following content:
    POST_BUILD=../../../../../../root/sign-kernel.sh
  • Create the script which signs the modules in “/root/sign-kernel.sh” and add the content:
    #!/bin/bash
    cd ../$kernelver/$arch/module/
    for kernel_object in *ko; do
    echo “Signing kernel_object: $kernel_object”
    /usr/src/linux-headers-$kernelver/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der “$kernel_object”;
    done
  • To activate signing for your kernel module with the name “ABC”, add a link to the configuration: “sudo ln -s /etc/dkms/sign-kernel-objects.conf /etc/dkms/ABC.conf”. To find out what the correct name of the module is, try listing the modules in “/var/lib/dkms”.

You can install the kernel module now and it should be automatically signed.

Published by HorstBaerbel

Software developer by trade and interest, but I venture into the electronics- and diy-world from time to time.

One thought on “Signing your kernel modules on Ubuntu 16.04

  1. hi,when i run command \”openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj \”/CN=DKMS signing key/\”\”it log \”Can't load /home/thanhtung/.rnd into RNG139667867890112:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/thanhtung/.rndGenerating a RSA private key…………………………………………………………………………………………………………………+++++……+++++writing new private key to 'MOK.priv'\”can you help??

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: