https://wiki.debian.org/SecureBoot
https://wiki.ubuntu.com/UEFI/SecureBoot
https://wiki.archlinux.org/title/Unifie ... ecure_Boot
in order to create Machine Owner keys and sign during DKMS post installation any kernel modules required, currently the Nvidia driver package modules.
I have been using this process for quite some time, my Kernel Module signing script is:
Code: Select all
#!/bin/bash
###############################################################################
# Linux Kernel DKMS Module Signing script hook
###############################################################################
readonly KERNEL_VERSION="${1}"
readonly MODULE_FILEPATH="${2}"
readonly SIGN_TOOL="/usr/src/linux-headers-${KERNEL_VERSION}/scripts/sign-file"
readonly SIGN_ALGORITHM="sha256"
readonly PRIVATE_KEY="/var/lib/shim-signed/mok/MOK.priv"
readonly PUBLIC_KEY="/var/lib/shim-signed/mok/MOK.der"
echo "Linux Kernel version: ${KERNEL_VERSION} - Signing module ${MODULE_FILEPATH}"
echo "SIGN_TOOL: ${SIGN_TOOL}"
# Read passphrase
echo -n "Passphrase for the private key: "
read -r KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN
"${SIGN_TOOL}" "${SIGN_ALGORITHM}" \
"${PRIVATE_KEY}" "${PUBLIC_KEY}" \
"${MODULE_FILEPATH}" \
|| exit 1
exit 0
Code: Select all
/etc/dkms/framework.conf
Code: Select all
sign_tool="/root/sign-dkms-modules.sh"
Code: Select all
sudo -> apt -> dpkg -> nvidia-kernel-d -> frontend -> common.postinst -> dkms -> dkms -> sign-dkms-modules.sh