How Can We Help?
This procedure needs the following packages:
- mokutil
For the first time signing a driver.
If you don’t have any MOK.der and MOK.priv files on your system.
- Create a signing DER certificate.
- Sign the driver with the newly created certificates.
- Let UEFI use your newly created certs.
Creating a signing request, only if none is available on your system.
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=<A good description>/"
Sign the driver with the created signing
Signing the created driver
gt; sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/<location of the driver>
Finaly tell UEFI to use the key
Tell UEFI the key is ready
gt; sudo mokutil --import ./MOK.der
Example:
Signing a driver
gt; openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=RTL8822bu - AC53 Nano wifi usb/"
gt; sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/4.13.0-19-generic/kernel/drivers/net/wireless/88x2bu.ko
gt; sudo mokutil --import MOK.der
gt; reboot
kernel update
After a kernel update, rebuild your driver for that new kernel.
And sign your driver, using your previously created DER certificate.
Signing the created driver
gt; cd <location of your MOK.der and MOK.priv certificates>
gt; sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/<location of the driver>