Signing your kernel modules on Ubuntu 16.04


I have an Asus UX3410UA laptop. To silence the fan I use ACPI calls to adjust the fan tipping point. See this. This needs the kernel module "acpi-call-dkms" for being able to run the "acpi_call" executable. If secure boot is enabled on a computer this module will not load if it is not signed and the proper keys are in the EFI. Here's how to do both. The pages I got this from are here, here and here.
  1. Generate a key for signing your kernel modules:
    • Run: "openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=DKMS signing key/"" and input a good password you can remember.
    • Register the keys to Secure Boot: "sudo mokutil --import MOK.der".
    • Check if registering worked: "mokutil --test-key MOK.der".
    • Copy the keys to /root: "sudo mv MOK.* /root/".
  2. Reboot and add the key:
    • You will be presented a blue text screen. Choose "Enroll MOK", then you can choose to view your key or just "Continue". Choose "Yes" and input the password from before. Your key should be added now and you can reboot.
  3. Set up automatic key signing:
    • Create a file "/etc/dkms/sign-kernel-objects.conf" with the following content:
      POST_BUILD=../../../../../../root/sign-kernel.sh
    • Create the script which signs the modules in "/root/sign-kernel.sh" and add the content:
      #!/bin/bash
      cd ../$kernelver/$arch/module/
      for kernel_object in *ko; do
      echo "Signing kernel_object: $kernel_object"
      /usr/src/linux-headers-$kernelver/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der "$kernel_object";
      done
    • To activate signing for your kernel module with the name "ABC", add a link to the configuration: "sudo ln -s /etc/dkms/sign-kernel-objects.conf /etc/dkms/ABC.conf". To find out what the correct name of the module is, try listing the modules in "/var/lib/dkms".
  4. You can install the kernel module now and it should be automatically signed.

Comments