Module not starting at boot time on a system with secureboot enabled
reisaraujo-miguel opened this issue · 6 comments
I'm using Fedora 36 (kernel 5.18.5-200.fc36.x86_64) and have compiled the driver. It works fine, but even after running deploy.sh
the kernel module does not seems to start at boot time, so I have to run insmod 88x2bu.ko
every time I boot my system.
Edit: I was able to start the module by running insmod 88x2bu.ko
because I had signed that file, but I didn't knew that dkms wasn't installing that same file that I had signed, it was compiling a new module and wasn't signing it
Fixed the problem.
Because I have secureboot enabled, I had to create two keys called dkms.der
and dkms.key
at /root
, using openssl, and enroll dkms.der
using mokutil. And then I uncommented the line sign_tool="/etc/dkms/sign_helper.sh"
in the /etc/dkms/framework.conf
file.
Then I just needed to run the deploy.sh
script, after removing the previously installed module.
Step-by-step:
Ensure you have openssl and mokutil installed, then run:
sudo -i
openssl req -utf8 -new -x509 \
-newkey rsa:2048 -keyout /root/dkms.key \
-outform DER -out /root/dkms.der \
-noenc -days 36500
mokutil --import ./dkms.der
Insert a passphrase two times, and then reboot to enroll that key.
If you run dkms status
and you see that the rtl88x2bu/module-version
(in my case rtl88x2bu/5.8.7.1
) module is installed, run:
dkms remove rtl88x2bu/module-version
Then go to the /etc/dkms/framework.conf
file and uncomment the line sign_tool="/etc/dkms/sign_helper.sh"
. After that you can run the deploy.sh
script.
Hi,
I have two problems:
- can't find the sign_helper.sh script
- MOKutil doesn't accept the key upon reboot
- After entereing MOK on reboot, ubuntu won't load.
I'm on ubuntu 20.04 LTS
For precision, I'm a complete noob... Thanks!
It seems DKMS updated, this should do it:
Step-by-step:
Step 1
Ensure you have openssl and mokutil installed, then run:
sudo -i
openssl req -utf8 -new -x509 \
-newkey rsa:2048 -keyout /var/lib/dkms/mok.key \
-outform DER -out /var/lib/dkms/mok.pub \
-noenc -days 36500
OBS: By default DKMS searches for a key pair called mok.key and mok.pub at /var/lib/dkms/
. if you already have a key pair at /root/
, I think renaming and moving them should be enough.
Step 2
mokutil --import /var/lib/dkms/mok.pub
Insert a passphrase two times, and then reboot to enroll that key.
Step 3
If you run dkms status
and you see that the rtl88x2bu/<module-version>
(in my case rtl88x2bu/5.8.7.1
) module is installed, run:
dkms remove rtl88x2bu/<module-version>
After that you can run the deploy.sh
script.
OBS: you don't need to change anything in the framework.conf
file.
OBS-2: the sign_helper.sh
script doesn't exists anymore.
Hi, I have two problems:
* can't find the sign_helper.sh script * MOKutil doesn't accept the key upon reboot * After entereing MOK on reboot, ubuntu won't load. I'm on ubuntu 20.04 LTS For precision, I'm a complete noob... Thanks!
About Ubuntu not loading, I'm not sure what happened there. I think you can go into your BIOS and clear all the keys saved and then try again.
Let me know if you are still having problems.
Thanks a lot! Ubuntu still doesn't load, I can only enter recovery mode to access the root shell prompt, so I did this:
- renaming the keys (dkms.key --> mok.key and dkms.der to mok.der)
- moving the key from /root/ to /var/lib/dkms/
- Import mok.der with mokutils (failed, already imported)
- delete mok.der
-reboot - re-import mok.der in mokutils
- reboot (this time MOK recognized it at boot)
still ubuntu HMI doesn't load (I only get a blinking "_")
This doesn't seem to be related to enrolling the key, but I'm not sure what happened. If you can enter recovery mode, I think this means you can get to grub.
Have you done anything else before trying to enroll the key the first time? Like a System Update or something? Have you tried booting on an older kernel to see if it works? Usually there is the option to boot on previous kernel versions on grub.