-
Notifications
You must be signed in to change notification settings - Fork 535
Secure Boot
PhilProg edited this page Feb 4, 2023
·
6 revisions
If your system has Secure Boot enabled, it might refuse to load any unsigned kernel modules.
Typically, you would get something like the following error:
modprobe: ERROR: could not insert 'v4l2loopback': Operation not permitted
Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
Go through the following steps to see if it corrects the problem.
(note the name OBS.priv, OBS.der, and /CN=OBS/ are the names I just gave it, you can call it whatever you want)
The first six steps only need to be done once:
openssl req -new -x509 -newkey rsa:2048 -keyout OBS.priv -outform DER -out OBS.der -nodes -days 36500 -subj "/CN=OBS/"-
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./OBS.priv ./OBS.der $(modinfo -n v4l2loopback)If you're using Fedora/RHEL/... you have to changelinux-headers-tokernels/ -
tail $(modinfo -n v4l2loopback) | grep "Module signature appended"(confirm that the module is now signed) -
sudo mokutil --import OBS.der- you'll have to make a password at this step REMEMBER IT! - Reboot; You will go through a MOK enrollment process in the BIOS; This is where you need the password from step 4.
-
mokutil --test-key OBS.der(this just confirms it's enrolled) -
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./OBS.priv ./OBS.der $(modinfo -n v4l2loopback)If you're using Fedora/RHEL/... you have to changelinux-headers-tokernels/
(Not sure if the last step is needed the first time (since you already do it in in the beginning), but I had it in my notes for another module with the same issue so I'm including it here.)
Now every time there's a kernel update, or the v4l2loopback module is updated, you'll have to go through the last step again and reboot.