/ko_sign

Primary LanguageShellMIT LicenseMIT

Generate a key and enroll it

The process is documented in gen_key.sh. env.sh needs to be created first. KEY and CERT are needed here. You are also recommended to change the req_distinguished_name section in x509.genkey.

Sign kernel modules

Define modules to be signed in env.sh, where an example is env.sh.example. Then, run

sudo ./ko_sign.sh

# or interative mode
sudo ./ko_sign.sh -i

Utility

Check keys in use

sudo keyctl list %:.builtin_trusted_keys
sudo mokutil --db
sudo cat /proc/keys | grep asymmetri

Check if secure-boot is enabled

sudo mokutil --sb-state

Export certificates of all enrolled keys

sudo mokutil --export

List enrolled keys

sudo mokutil --list-enrolled

Delete a key (requires its der certificate)

mokutil --delete MOK-0001.der

Delete all keys

sudo mokutil --reset

Check if a kernel module is signed

sudo modinfo KO_NAME

Auto-compiling tools

akmods (kmodgenca)

DKMS

initrd

Add the following line to /etc/dracut.conf.d/nvidia.conf.

add_drivers+=" nvidia-drm nvidia-modeset nvidia-uvm nvidia nvidia-peermem "

Run dracut -f --regenerate-all, or use the --kver arguments.

Docs