Secure Boot and Out of Tree Linux Kernel Drivers
If UEFI Secure Boot is enabled, the boot loader, the Linux kernel, and all kernel modules must be signed with a private key and authenticated with the corresponding public key.
A certificate is called Machine Owner Key (MOK)
, and the keys can be maintained using the mokutil
program.
Sources:
- SecureBoot - Debian Wiki
https://wiki.debian.org/SecureBoot
- Working with Kernel Modules (Fedora User Docs)
https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/
- How to sign things for Secure Boot (Ubuntu Blog)
https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
For additional info, search for secure boot and out of tree kernel drivers
.
— Martin Burnicki martin.burnicki@burnicki.net, last updated 2022-01-19