From c092780bf371d962a98165f1740e9bc0feb242bc Mon Sep 17 00:00:00 2001
From: Oleg <oleg@makarenk.ooo>
Date: Wed, 17 Jul 2024 17:54:35 +0300
Subject: [PATCH 1/7] Added signing section to the README

---
 README.md       |  4 +++-
 docs/SIGNING.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 docs/SIGNING.md

diff --git a/README.md b/README.md
index 4a03d21..c3a91c4 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,8 @@ And that's basically it
 ## How to use this driver?
 You can install it through AUR package, through DKMS or manually.
 
+On SecureBoot enabled systems you will need additional steps for load this driver into the system. See [Signing](docs/SIGNING.md#signing)
+
 ### AUR package
 There's an [AUR package](https://aur.archlinux.org/packages/universal-ff-dkms-git) for Arch Linux maintained by [@Lawstorant](https://github.com/Lawstorant).
 
@@ -57,7 +59,7 @@ Best for debugging purposes, where you need frequently change codebase/branches
 4. Load module into system with `sudo insmod hid-universal-pidff.ko`
 
 To unload module:
-`sudo rmmod hid_universal_pidff`
+`sudo rmmod hid_universal_pidff`'
 
 ## How to set up a base parameters?
 ### MOZA
diff --git a/docs/SIGNING.md b/docs/SIGNING.md
new file mode 100644
index 0000000..554e27d
--- /dev/null
+++ b/docs/SIGNING.md
@@ -0,0 +1,48 @@
+
+# Signing
+
+## Signing module for SecureBoot
+Latest kernels forbid loading custom kernel modules into the system with SecureBoot enabled.
+
+For SecureBoot enabled system you have a choice:
+1. Disable SecureBoot in your UEFI/BIOS
+2. Use generated Machine Owner Key from DKMS (supports automatic signing)
+3. Create Machine Owner Key and load it into your UEFI/BIOS, and sign kernel module with it.
+
+### Using DKMS MOK key
+MOK private key and certificates are generated the first time DKMS is run. You just need to import it to your system.
+```
+# Check if keys are present in default path
+ls -al /var/lib/dkms/mok*
+
+# Enroll keys into system
+sudo mokutil --import /var/lib/dkms/mok.pub
+```
+You need to reboot your PC after that, you will be greated with blue screen dialog.
+Choose "Enroll MOK", then "Continue" and "Yes". After that choose "Reboot system".
+
+Now DKMS should sign updated modules automatically as they updated.
+
+[Reference](https://github.com/dell/dkms/blob/master/README.md#module-signing)
+
+### Manually create MOK key and manually sign kernel module
+```
+# This creates Machine Owner Key
+openssl req -new -x509 -newkey rsa:2048 -keyout mok.key -outform DER -out mok.pub -nodes -days 36500 -subj "/CN=$hostname kernel module signing key/"
+
+# This loads it into UEFI
+sudo mokutil --import mok.pub
+```
+
+You need to reboot your PC after that, you will be greated with blue screen dialog
+Choose "Enroll MOK", enter your MOK password if exists, then "Continue", "Yes", and then reboot your system.
+
+After that you can manually sign your built kernel module like so (feel free to adjust paths to keys/certificate/modules):
+```
+sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 mok.key mok.pub hid-universal-pidff.ko
+```
+
+Then you should be able to load driver like so:
+```
+sudo insmod hid-universal-pidff.ko
+```
\ No newline at end of file

From d2585bcf170affdb89fbc3100ffc97604b09f7ad Mon Sep 17 00:00:00 2001
From: Oleg <oleg@makarenk.ooo>
Date: Wed, 17 Jul 2024 17:55:47 +0300
Subject: [PATCH 2/7] Small change to README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c3a91c4..c2447f5 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ And that's basically it
 ## How to use this driver?
 You can install it through AUR package, through DKMS or manually.
 
-On SecureBoot enabled systems you will need additional steps for load this driver into the system. See [Signing](docs/SIGNING.md#signing)
+On SecureBoot enabled systems you will need additional steps for load this driver into the system. See [Signing](docs/SIGNING.md#signing) section.
 
 ### AUR package
 There's an [AUR package](https://aur.archlinux.org/packages/universal-ff-dkms-git) for Arch Linux maintained by [@Lawstorant](https://github.com/Lawstorant).

From 3ff83db322762f70a50f6d79b7b92dbf082f0bc0 Mon Sep 17 00:00:00 2001
From: Oleg <oleg@makarenk.ooo>
Date: Wed, 17 Jul 2024 17:56:17 +0300
Subject: [PATCH 3/7] We need to *install* driver, not *use* it

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c2447f5..8408826 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ And that's basically it
 2. `Firmware Update` function. Use Windows PC or Windows VM at the moment.
 3. Setup through proprietary software. May require [some tweaking](#how-to-set-up-a-base-parameters))
 
-## How to use this driver?
+## How to install this driver?
 You can install it through AUR package, through DKMS or manually.
 
 On SecureBoot enabled systems you will need additional steps for load this driver into the system. See [Signing](docs/SIGNING.md#signing) section.

From 34d6d6b2949f4f6613c1da54ffc807fb5f2e32f3 Mon Sep 17 00:00:00 2001
From: Oleg <oleg@makarenk.ooo>
Date: Wed, 17 Jul 2024 18:19:22 +0300
Subject: [PATCH 4/7] Fix typo

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8408826..645efa8 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ Best for debugging purposes, where you need frequently change codebase/branches
 4. Load module into system with `sudo insmod hid-universal-pidff.ko`
 
 To unload module:
-`sudo rmmod hid_universal_pidff`'
+`sudo rmmod hid_universal_pidff`
 
 ## How to set up a base parameters?
 ### MOZA

From b58aee44034be5051b87df6ac7a7466ed9663169 Mon Sep 17 00:00:00 2001
From: Oleg <oleg@makarenk.ooo>
Date: Wed, 17 Jul 2024 18:19:58 +0300
Subject: [PATCH 5/7] Only unsigned modules affected

---
 docs/SIGNING.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/SIGNING.md b/docs/SIGNING.md
index 554e27d..47fb0d5 100644
--- a/docs/SIGNING.md
+++ b/docs/SIGNING.md
@@ -2,7 +2,7 @@
 # Signing
 
 ## Signing module for SecureBoot
-Latest kernels forbid loading custom kernel modules into the system with SecureBoot enabled.
+Latest kernels forbid loading unsigned custom kernel modules into the system with SecureBoot enabled.
 
 For SecureBoot enabled system you have a choice:
 1. Disable SecureBoot in your UEFI/BIOS

From 38c629829f380fcfa49d82524de459ae97aadcf0 Mon Sep 17 00:00:00 2001
From: Oleg <oleg@makarenk.ooo>
Date: Thu, 18 Jul 2024 06:11:49 +0300
Subject: [PATCH 6/7] Fix spelling

---
 docs/SIGNING.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/SIGNING.md b/docs/SIGNING.md
index 47fb0d5..f3f2764 100644
--- a/docs/SIGNING.md
+++ b/docs/SIGNING.md
@@ -18,7 +18,7 @@ ls -al /var/lib/dkms/mok*
 # Enroll keys into system
 sudo mokutil --import /var/lib/dkms/mok.pub
 ```
-You need to reboot your PC after that, you will be greated with blue screen dialog.
+You need to reboot your PC after that, you will be greeted with blue screen dialog.
 Choose "Enroll MOK", then "Continue" and "Yes". After that choose "Reboot system".
 
 Now DKMS should sign updated modules automatically as they updated.
@@ -34,7 +34,7 @@ openssl req -new -x509 -newkey rsa:2048 -keyout mok.key -outform DER -out mok.pu
 sudo mokutil --import mok.pub
 ```
 
-You need to reboot your PC after that, you will be greated with blue screen dialog
+You need to reboot your PC after that, you will be greeted with blue screen dialog
 Choose "Enroll MOK", enter your MOK password if exists, then "Continue", "Yes", and then reboot your system.
 
 After that you can manually sign your built kernel module like so (feel free to adjust paths to keys/certificate/modules):

From bfbdb9620e61c130f02f29c2670804af13f41b3d Mon Sep 17 00:00:00 2001
From: Oleg <oleg@makarenk.ooo>
Date: Fri, 19 Jul 2024 11:55:35 +0300
Subject: [PATCH 7/7] Update information about key path

---
 docs/SIGNING.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/SIGNING.md b/docs/SIGNING.md
index f3f2764..65c0b94 100644
--- a/docs/SIGNING.md
+++ b/docs/SIGNING.md
@@ -11,12 +11,23 @@ For SecureBoot enabled system you have a choice:
 
 ### Using DKMS MOK key
 MOK private key and certificates are generated the first time DKMS is run. You just need to import it to your system.
+
+The location as well can be changed by setting the appropriate variables in /etc/dkms/framework.conf. For example, to allow usage of the system default Ubuntu update-secureboot-policy set the configuration file as follows:
 ```
-# Check if keys are present in default path
+mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
+mok_certificate="/var/lib/shim-signed/mok/MOK.der"
+```
+
+```
+# Find where keys are on your distro
 ls -al /var/lib/dkms/mok*
+# OR (on Ubuntu)
+ls -al /var/lib/shim-signed/mok/MOK*
 
 # Enroll keys into system
 sudo mokutil --import /var/lib/dkms/mok.pub
+# OR (on Ubuntu)
+sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
 ```
 You need to reboot your PC after that, you will be greeted with blue screen dialog.
 Choose "Enroll MOK", then "Continue" and "Yes". After that choose "Reboot system".