docs(secure-boot): add DKMS/MOK kernel module signing section#482
Draft
mbocevski wants to merge 1 commit into
Draft
docs(secure-boot): add DKMS/MOK kernel module signing section#482mbocevski wants to merge 1 commit into
mbocevski wants to merge 1 commit into
Conversation
Document how to get MOK-signed DKMS modules (nvidia, openrazer, etc.) to load under Secure Boot: DKMS signs with /var/lib/dkms/mok.key, and the key must be enrolled as a MOK (via shim, since the sbctl setup has no shim) so the kernel trusts it in the .machine keyring. Requires a CachyOS kernel built with IMA (CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT); see CachyOS/linux-cachyos#862 and #863.
mbocevski
force-pushed
the
docs-secure-boot-dkms-mok
branch
from
c0901aa to
85263d9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Blocked on CachyOS/linux-cachyos#863 — please don't merge until that kernel change ships. It documents behaviour that only works once IMA is enabled, so I'm opening it as a draft for visibility and feedback alongside that PR.
Adds a "Signing Kernel Modules (DKMS / MOK)" section to the Secure Boot article. It covers how to get MOK-signed DKMS modules (e.g. openrazer) to load under Secure Boot: DKMS signs them with
/var/lib/dkms/mok.key, and the key has to be enrolled as a MOK — viashim, since thesbctlsetup has no shim — so the kernel trusts it in the.machinekeyring. English.mdxonly; translations are handled by the usual Lunaria workflow.