-
Notifications
You must be signed in to change notification settings - Fork 535
Secure Boot
Greg Savage edited this page Nov 15, 2024
·
6 revisions
If your system has Secure Boot enabled, it might refuse to load any unsigned kernel modules.
Typically, you would get something like the following error:
modprobe: ERROR: could not insert 'v4l2loopback': Operation not permitted
Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
Go through the following steps to see if it corrects the problem.
(note the name OBS.priv
, OBS.der
, and /CN=OBS/
are the names I just gave it, you can call it whatever you want)
The first six steps only need to be done once:
- Use openssl an RSA key with the following parameters
openssl req -new -x509 -newkey rsa:2048 -keyout OBS.priv -outform DER -out OBS.der -nodes -days 36500 -subj "/CN=OBS/"
- Sign the module with the newly created key - Note: If you're using Fedora/RHEL/... you have to change "linux-headers-" to "kernels/"
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./OBS.priv ./OBS.der $(modinfo -n v4l2loopback)
- Confirm the module has been signed. If
grep
does not return anything, the signing has failed and the first two steps should be repeated.
tail $(modinfo -n v4l2loopback) | grep -a "Module signature appended"
- Start the enrollment process for the new key you've created using
mokutil
- you'll have to make a password at this step REMEMBER IT!
sudo mokutil --import OBS.der
-
Reboot; You will go through a MOK enrollment process in the BIOS; You will be prompted for the password created in Step 4
-
Once you've rebooted, test the key to confirm enrollment
mokutil --test-key OBS.der
- Perform Step 2 again. This step will need to be performed, and the system rebooted, each time an update to either the kernel or v4l2loopback module is performed.
(Not sure if the last step is needed the first time (since you already do it in in the beginning), but I had it in my notes for another module with the same issue so I'm including it here.)