-
Notifications
You must be signed in to change notification settings - Fork 0
/
sign-dkms-modules
executable file
·45 lines (31 loc) · 1.33 KB
/
sign-dkms-modules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/bin/bash
set -eEu
if [ $# -ne 2 ]; then
cat <<-EOF
Signs all installed DKMS modules so they can be used with Secure Boot. You need to create a MOK keypair and enroll it on your machine for this to take effect.
The script is intended for use on Debian but may also work on other distributions that use the same paths.
Usage: $0 MOK.priv MOK.der
The Debian wiki has instructions for creating and enrolling your key:
https://wiki.debian.org/SecureBoot#Enroling_a_new_key
Here's a copy of their instructions for reference:
# openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/" -nodes
# mokutil --import MOK.der // prompts for one-time password
# mokutil --list-new // recheck your key will be prompted on next boot
<rebooting machine then enters MOK manager EFI utility: enroll MOK, continue, confirm, enter password, reboot>
# dmesg | grep cert // verify your key is loaded
EOF
exit 1
fi
priv="$1"
der="$2"
algo="sha256"
shopt -s nullglob
for kerneldir in /lib/modules/*/; do
version="$(basename "$kerneldir")"
major="$(echo "$version"|cut -d. -f1,2)"
signfile="/usr/lib/linux-kbuild-$major/scripts/sign-file"
for dkmsmodulepath in $kerneldir/updates/dkms/*.ko; do
echo "Signing $dkmsmodulepath"
"$signfile" "$algo" "$priv" "$der" "$dkmsmodulepath"
done
done