Skip to content

Instantly share code, notes, and snippets.

@christo070

christo070/sign-modules-for-secure-boot-in-debian.md

Last active January 1, 2025 17:36
Show Gist options
  • Save christo070/b0e796c4992bb01cba51280223510a9a to your computer and use it in GitHub Desktop.
Save christo070/b0e796c4992bb01cba51280223510a9a to your computer and use it in GitHub Desktop.
Download ZIP
How to sign NVIDIA or Virtual Box Modules for Secure Boot in Debian 12 or Ubuntu
Raw
sign-modules-for-secure-boot-in-debian.md

The commands in this article are run on Debian 12 Bookworm. If your system is Ubuntu or any other Debian based distribution, the default locations may be different, but the instructions remain same.

Assuming you have downloaded NVIDIA Drivers from apt repository, (in case you have downloaded NVIDIA Driver from Website, please refer the 1st web page in References).

Ensure that Secure Boot is Off or Secure Boot is enabled in Audit Mode (Depends on your PC manufacturer UEFI). You could change Secure Boot mode in UEFI settings.

Secure Boot Mode Here its in Deployed mode, change it to Audit mode.

Secure Boot state can be checked by

sudo mokutil --sb-state

Secure Boot in Audit Mode will give output as

SecureBoot disabled
Platform is in Setup Mode

Find the location of the mok signing key and mok certificate. You can view the location in /etc/dkms/framework.conf, and the default location being /var/lib/dkms (for Debian) and /var/lib/shim-signed/mok (for Ubuntu).

MOK_LOCATION="/var/lib/dkms" # For Debian
MOK_LOCATION="/var/lib/shim-signed/mok" # For Ubuntu

Install pwgen from apt repository by

sudo apt install pwgen

This is required to generate strong and secure passphrase for the private key

Step 1: Enrolling the DKMS signing key into your machine

sudo mokutil --import "$MOK_LOCATION"/mok.pub

this command prompts for one-time password and /var/lib/mok.pub can be changed, if MOK certificate isn't located there.

sudo mokutil --list-new # recheck your key will be prompted on next boot

Rebooting machine then enters MOK manager EFI utility: enroll MOK, continue, confirm, enter password, reboot.

Step 2: Set Linux Kernel info variables and Private & Public Key variables

VERSION="$(uname -r)"
SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
MODULES_DIR=/lib/modules/$VERSION
KBUILD_DIR=/usr/lib/linux-kbuild-$SHORT_VERSION

Set Private and Public Key variables

PRIV_KEY="$MOK_LOCATION"/mok.key
PUB_KEY="$MOK_LOCATION"/mok.pub

Securely record the passphrase for the private key:

KBUILD_SIGN_PIN="$(pwgen -CBsync 64 1)"

this creates 1 passphrase of 64 characters

Step 3: Sign NVIDIA Modules

cd "$MODULES_DIR/updates/dkms" # For dkms packages

To sign a specific module (nvidia-current considered here)

sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 "$PRIV_KEY" "$PUB_KEY" nvidia-current.ko

Or sign all modules below the current directory

find -name \*.ko | while read i; do sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 "$PRIV_KEY" "$PUB_KEY" "$i" || break; done

If the modules are needed to boot your machine, make sure to update the initramfs, e.g. using

sudo update-initramfs -k all -u

Step 3: Sign Virtual Box Modules

Part 1

Ubuntu has chosen to place their auto-generated MOK at "/var/lib/shim-signed/mok/", which some software such as Oracle's virtualbox package expect to be present.

If you are on Ubuntu, skip to Part 2

else (like Debian where default MOK_LOCATION is not /var/lib/shim-signed/mok), follow below instructions

sudo mkdir -p /var/lib/shim-signed/mok
sudo openssl req -nodes -new -x509 -newkey rsa:2048 -outform DER -addext "extendedKeyUsage=codeSigning" -keyout /var/lib/shim-signed/mok/MOK.priv -out /var/lib/shim-signed/mok/MOK.der
sudo mokutil --import /var/lib/shim-signed/mok/MOK.der

Rebooting machine then enters MOK manager EFI utility: enroll MOK, continue, confirm, enter password, reboot.

MOK_LOCATION="/var/lib/shim-signed/mok"
VERSION="$(uname -r)"
SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
MODULES_DIR=/lib/modules/$VERSION
KBUILD_DIR=/usr/lib/linux-kbuild-$SHORT_VERSION
PRIV_KEY="$MOK_LOCATION"/MOK.priv
PUB_KEY="$MOK_LOCATION"/MOK.der
KBUILD_SIGN_PIN="$(pwgen -CBsync 64 1)"
Part 2

Change directory to find Oracle Packages

cd "$MODULES_DIR/misc" # For Oracle packages

To sign a specific module (vboxdrv considered here)

sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 "$PRIV_KEY" "$PUB_KEY" vboxdrv.ko

Or sign all modules below the current directory

find -name \*.ko | while read i; do sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 "$PRIV_KEY" "$PUB_KEY" "$i" || break; done

If the modules are needed to boot your machine, make sure to update the initramfs, e.g. using

sudo update-initramfs -k all -u

Step 4: Now reboot the PC in Secure Boot Enabled in Deployment Mode

!!! NOTE: Make sure Secure Boot is Enabled in Deployed Mode, otherwise it is less secure and no point in doing all of the above steps.

Optional Commands

Verify if module if signed

sudo modinfo nvidia-current

To Ensure that Secure Boot enabled

sudo mokutil --sb-state

gives output SecureBoot enabled

To check if nvidia-driver is working in secure boot state,

nvidia-smi

gives result in table

To view all of the loaded modules

kmod list

To view loaded NVIDIA Modules

kmod list | grep nvidia

To view loaded Virtual Box Modules

kmod list | grep vbox

References

  1. Debian Wiki - Secure Boot
  2. Debian Wiki - NVIDIA Graphics
  3. Debian Wiki - Virtual Box
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment