Source: https://superdanby.github.io/Blog/signing-kernel-modules-for-secure-boot.html Accessed: 2023-02-13
Make sure your Secure Boot is off. In order to sign the modules, they should exist in the current environment. Turning on Secure Boot will block the modules to load in the first place.
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"
Descriptive name is the name of the key. E.g. "/CN=Yee~"
sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n
MODULE_NAME )
Note that you can sign multiple modules at a time. Just repeat this step until all modules are signed.
sudo mokutil --import MOK.der
You'll be prompt to enter a password for later use in MOK.
reboot
- Press anykey to enter MOK within 10 seconds.
- Enroll MOK
- Continue
- Insert the password you just created.
- OK
mokutil --list-enrolled
You can now turn Secure Boot back on!