Signing Modules with mokutil

This blog focuses on installing Nvidia driver and few other drivers using the mokutil signing functionality.

1. Create a pair of key on system to sign the modules.

openssl req -new -x509 -newkey rsa:2048 -keyout /home/user/Nvidia.key -outform DER -out /home/user/Nvidia.der -nodes -days 36500 -subj "/CN=Graphics Drivers"

2. Add the key (Enroll using mok)

First command will ask for a password. After reboot enter the same password. (** Prompt will ask for characters in specific position of the password. Do not enter the whole password. **)

sudo mokutil --import /home/user/Nvidia.der
sudo reboot

Check if keys are enrolled

sudo mokutil --list-enrolled # or sudo mokutil --list-enrolled | grep -i Graphics

3. Update the dkms sign file if adding using dkms

Updated the /etc/dkms/sign_helper.sh. Add/update the line with the newly created key paths.

/lib/modules/"$1"/build/scripts/sign-file sha512 /home/user/Nvidia.priv /home/user/Nvidia.der "$2"

Update /etc/dkms/framework.conf Uncomment the line where sign_tool is mentioned

sign_tool="/etc/dkms/sign_helper.sh"

If you have already added dkms modules before changing the sign file, first remove and then add them again.

sudo dkms status # Check status of dkms module
sudo dkms remove <module>/<version> -k <kernel_version>
Eg. sudo dkms remove hid-asus-rog/1.0.2 -k 5.10.0-8-amd64
sudo dkms status # Check uninstalled again
sudo dkms add . # in the cloned directory of dkms module
sudo dkms build <module>/<version>
sudo dkms install <module>/<version>

4. Installing Nvidia driver

For installing Nvidia driver using the .run file and enrolled keys. Get-the-Driver-here

sudo sh ./NVIDIA-Linux-x86_64-460.73.01.run -s --module-signing-secret-key=/home/user/Nvidia.key --module-signing-public-key=/home/user/Nvidia.der

If this does not work try removing -s from the command above.