Tuesday, January 31, 2017

Automate DKMS modules signing in Linux

Some time ago I have managed to sign DKMS Nvidia modules with generated keys and upload those to UEFI. Of course, I had to sign modules every time they've been rebuilt, i.e. when kernel or nvidia driver gets updated. So after few kernel updates I have decided to automate the task via postinst.d hook.

#!/bin/sh

DKMS_DIR=/lib/modules/$1/updates/dkms
KEYS_DIR=/opt/sign
SIGN_CMD=/usr/src/linux-headers-$1/scripts/sign-file

for file in $DKMS_DIR/*.ko
do
    $SIGN_CMD sha256 $KEYS_DIR/MOK.priv $KEYS_DIR/MOK.der $file 2>1 > /dev/null
done

exit 0
Not quite sure but looks it will get executed also on kernel uninstall :) Now, need to address Nvidia packages updates.

No comments: