Signing DKMS modules #11
Description
Since the version 5.4, Linux kernel has lockdown enabled by default when SecureBoot is enabled. Therefore, we have to sign all modules to successfully boot the system. There are plenty of tutorials how to do it with MOK keys and mokutils; however, virtually none of the blogposts and tutorials mention the need to use Shim to provide MOK key validation wrapper in EFI.
When using the SecureBoot in the user mode, we do not need MOK, we just need to sign the modules using DB keys the Sicherboot generates. Therefore, there should be a hook to do this automatically for the modules of the installed kernels.
I tried this for Virtualbox modules built by DKMS in Debian, and it seems to work just fine. I used the following script:
#!/bin/sh -e
# /etc/kernel/postinst.d/dkms-sign-modules
version="$1"
module_dir="/lib/modules/$version/updates/dkms"
sign_file="/lib/modules/$version/build/scripts/sign-file"
if [ -z "$version" ]
then
echo "Usage: $0 version" >&2
exit 1
fi
if ! [ -x "$sign_file" ]
then
echo "Missing sign_file binary: $sign_file" >&2
exit 1
fi
echo "" >&2
echo "Signing DKMS kernel modules ..." >&2
echo "Using $sign_file" >&2
find "$module_dir" -type f -name "*.ko" \
-fprint /dev/stderr \
-exec "$sign_file" sha256 /etc/sicherboot/keys/db.key /etc/sicherboot/keys/db.cer '{}' \;
echo "Signing DKMS kernel modules ... done." >&2
echo "" >&2This script is wrong, untested, and probably does the signing in the wrong place. But it does the trick.