* [pve-devel] [PATCH docs] secure boot: add subsection for DKMS/MOK
@ 2023-11-23 9:45 Fabian Grünbichler
2023-11-23 10:18 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2023-11-23 9:45 UTC (permalink / raw)
To: pve-devel
similar, but a bit more beginner friendly compared to the wiki article.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
system-booting.adoc | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/system-booting.adoc b/system-booting.adoc
index 0cc9c13..511eddf 100644
--- a/system-booting.adoc
+++ b/system-booting.adoc
@@ -492,3 +492,46 @@ disk as a boot option in the UEFI firmware setup utility and run
TIP: To enroll custom keys, see the accompanying
https://pve.proxmox.com/wiki/Secure_Boot_Setup#Setup_instructions_for_db_key_variant[Secure
Boot wiki page].
+
+Using DKMS/third party modules with Secure Boot
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+On systems with Secure Boot enabled, the kernel will refuse to load modules
+which are not signed by a trusted key. The default set of modules shipped with
+the kernel packages is signed with an ephemeral key embedded in the kernel
+image which is trusted by that specific version of the kernel image.
+
+In order to load other modules, such as those built with DKMS or manually, they
+need to be signed with a key trusted by the Secure Boot stack. The easiest way
+to achieve this is to enroll them as Machine Owner Key (`MOK`) with `mokutil`.
+
+The `dkms` tool will automatically generate a keypair and certificate in
+`/var/lib/dkms/mok.key` and `/var/lib/dkms/mok.pub` and use it for signing
+the kernel modules it builds and installs.
+
+You can view the certificate contents with
+
+----
+# openssl x509 -in /var/lib/dkms/mok.pub -noout -text
+----
+
+and enroll it on your system using the following command:
+
+----
+# mokutil --import /var/lib/dkms/mok.pub
+input password:
+input password again:
+----
+
+The `mokutil` command will ask for a (temporary) password twice, this password
+needs to be entered one more time in the next step of the process! Rebooting
+the system should automatically boot into the `MOKManager` EFI binary, which
+allows you to verify the key/certificate and confirm the enrollment using the
+password selected when starting the enrollment using `mokutil`. Afterwards, the
+kernel should allow loading modules built with DKMS (which are signed with the
+enrolled `MOK`). The `MOK` can also be used to sign custom EFI binaries and
+kernel images if desired.
+
+The same procedure can also be used for custom/third-party modules not managed
+with DKMS, but the key/certificate generation and signing steps need to be done
+manually in that case.
--
2.39.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH docs] secure boot: add subsection for DKMS/MOK
2023-11-23 9:45 [pve-devel] [PATCH docs] secure boot: add subsection for DKMS/MOK Fabian Grünbichler
@ 2023-11-23 10:18 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2023-11-23 10:18 UTC (permalink / raw)
To: Proxmox VE development discussion, Fabian Grünbichler
Am 23/11/2023 um 10:45 schrieb Fabian Grünbichler:
> similar, but a bit more beginner friendly compared to the wiki article.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> system-booting.adoc | 43 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 43 insertions(+)
>
>
applied, thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-11-23 10:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-23 9:45 [pve-devel] [PATCH docs] secure boot: add subsection for DKMS/MOK Fabian Grünbichler
2023-11-23 10:18 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox