The process is documented in gen_key.sh
. env.sh
needs to be created first. KEY
and CERT
are needed here. You are also recommended to change the req_distinguished_name
section in x509.genkey
.
Define modules to be signed in env.sh
, where an example is env.sh.example
. Then, run
sudo ./ko_sign.sh
# or interative mode
sudo ./ko_sign.sh -i
sudo keyctl list %:.builtin_trusted_keys
sudo mokutil --db
sudo cat /proc/keys | grep asymmetri
sudo mokutil --sb-state
sudo mokutil --export
sudo mokutil --list-enrolled
mokutil --delete MOK-0001.der
sudo mokutil --reset
sudo modinfo KO_NAME
- https://blog.monosoul.dev/2022/05/17/automatically-sign-nvidia-kernel-module-in-fedora-36/
- https://rpmfusion.org/Howto/Secure%20Boot
Add the following line to /etc/dracut.conf.d/nvidia.conf
.
add_drivers+=" nvidia-drm nvidia-modeset nvidia-uvm nvidia nvidia-peermem "
Run dracut -f --regenerate-all
, or use the --kver
arguments.