Tuesday, August 05, 2025

UEFI: Signing a compiled driver with default certs.

How Can We Help?

< Back
You are here:
Print
Posted
Last Updated On
Byadmin

This procedure needs the following packages:

  • mokutil

Signing a driver.

gt; sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/$(uname -r)/kernel/drivers/<location of the driver>

OR

gt; sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der <kernel-module/driver name>

Example:

gt; sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/$(uname -r)/kernel/drivers/net/wireless/88x2bu.ko

OR

gt; sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der 88x2bu.ko

kernel update

After a kernel update, rebuild your driver for that new kernel.
And sign your driver, using your previously created DER certificate.

Signing the created driver

gt; sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/$(uname -r)/kernel/drivers/<location of the driver>

OR

sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der <kernel-module/driver name>

Table of Contents
admin
Back To Top