Closed thebunnyrules closed 6 years ago
zedtux
commented
6 years ago Thank you @thebunnyrules for this ! 👍
It has to be added to the Wiki! Maybe creating 2 pages (compile without signing, another compile with signing).
Do you want to do it @thebunnyrules ?
thebunnyrules
commented
6 years ago Sure, I can do it. I'm not sure about the creating two pages thing, let me play around with it.
thebunnyrules
commented
6 years ago Ok, I made the wiki entries. Check it out. See if you like it. Since the signing instructions are long, I gave it's own page as you suggested but since the normal instructions are simple, I kept them where they were and put a note below them, explaining the signing and linking to the newpage.
zedtux
commented
6 years ago Awesome work @thebunnyrules 👍.
Most motherboard and laptop manufacturers have a feature called Secure Boot where the hardware will not allow you to run kernels or even install modules for these Kernels unless they've been signed by a recognized entity such as Canonical or, gagh!, Microsoft. This is an excellent security feature which will protect you from malicious unsigned kernels or modules but it is inconvenient when one is trying to install custom kernels or modules compiled from source.
In this tutorial, I will show you how to sign your own modules and install the keys on your machine. I would recommend you do this in an offline environment and that you not store the keys on the machine you're trying to protect or that you shred them after installing them and the signing is finished.
Step 1: Make the Key
Step 2: Register the Key for Secure Boot
sudo mokutil --import MOK.der(enter PW - doesn't have to be your sudo PW, remember it or note it down, reboot is required to install key)Step 3: Build the Douane DKMS module
Step 4: Sign the Douane DKMS modules
Put key away somewhere safe. Alternatively, you can just shred it and repeat step 1 and step 2 everytime you want to sign something.
Step 5: Install signed module (do this after you've rebooted and installed the key)