ubuntu device driver with secure boot

Asked by hyukmin kwon

i'm in the charge of device driver developer, this driver working as part of ubuntu kernel and this kernel version is 22.04 and 5.13.0-35-generic.

when i was complete develop driver and insert to kernel by using "insmod" or "modprobe".

the process of inserting these kernel modules into the kernel works without any problem if my system is not a secure boot.

but if my system work with secure boot, and inserting kernel module into the kernel using "insmod" or "modprobe",

it fail to command with debug message "operation not permitted".

so to do solve this problem, found this url "https://wiki.ubuntu.com/UEFI/SecureBoot" and resolved according to the procedure.

To summarize the explanation , registering the certificate with the my system using "mokutil".

1.certificate create
2.my driver module signing using *.priv
3.regist *.der in system using "mokutil and password"
4.reboot the system
5.bios regist complete using password
6.boot complete
7. my driver load

the problem was occure this in step 5 that "bios regist complete using password"

under normal circumstances this procedure is natural and necessary.

but my case for some reason should be skip the step 5 that registering the certificate on the system bios.

so Is there any way to skip step 5 and load the driver with secure boot enabled system?

From what I've found so far, i think it can be solve that using canonical certificate.

so i can have canonical certificate any way?

i need help of all.

thank you

Question information

English Edit question
Ubuntu Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
hyukmin kwon (fjdklajiels) said :


Revision history for this message
Manfred Hampl (m-hampl) said :

My understanding is that with signature verification activated all modules need to be signed - either by an official signature already registered in the EFI database, or with your private key that needs to be registered manually (=step 5).

Making an official signature key available to everybody who wants to have it, defeats the security concept of secure booting, because then bad guys can provide signed fake modules that are trusted worldwide.

The only possibility that I know to work without registering your own MOK key is getting your device driver incorporated into the official kernel.

Can you help with this problem?

Provide an answer of your own, or ask hyukmin kwon for more information if necessary.

To post a message you must log in.