Update information about key path

Fix spelling
Only unsigned modules affected
2024-07-19 11:55:35 +03:00 · 2024-07-18 06:11:49 +03:00 · 2024-07-17 18:19:58 +03:00 · 2024-07-17 18:19:22 +03:00 · 2024-07-17 17:56:17 +03:00 · 2024-07-17 17:55:47 +03:00
2 changed files with 62 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -29,9 +29,11 @@ And that's basically it
 2. `Firmware Update` function. Use Windows PC or Windows VM at the moment.
 3. Setup through proprietary software. May require [some tweaking](#how-to-set-up-a-base-parameters))

-## How to use this driver?
+## How to install this driver?
 You can install it through AUR package, through DKMS or manually.

+On SecureBoot enabled systems you will need additional steps for load this driver into the system. See [Signing](docs/SIGNING.md#signing) section.
+
 ### AUR package
 There's an [AUR package](https://aur.archlinux.org/packages/universal-ff-dkms-git) for Arch Linux maintained by [@Lawstorant](https://github.com/Lawstorant).

--- a/docs/SIGNING.md
+++ b/docs/SIGNING.md
@@ -0,0 +1,59 @@
+
+# Signing
+
+## Signing module for SecureBoot
+Latest kernels forbid loading unsigned custom kernel modules into the system with SecureBoot enabled.
+
+For SecureBoot enabled system you have a choice:
+1. Disable SecureBoot in your UEFI/BIOS
+2. Use generated Machine Owner Key from DKMS (supports automatic signing)
+3. Create Machine Owner Key and load it into your UEFI/BIOS, and sign kernel module with it.
+
+### Using DKMS MOK key
+MOK private key and certificates are generated the first time DKMS is run. You just need to import it to your system.
+
+The location as well can be changed by setting the appropriate variables in /etc/dkms/framework.conf. For example, to allow usage of the system default Ubuntu update-secureboot-policy set the configuration file as follows:
+```
+mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
+mok_certificate="/var/lib/shim-signed/mok/MOK.der"
+```
+
+```
+# Find where keys are on your distro
+ls -al /var/lib/dkms/mok*
+# OR (on Ubuntu)
+ls -al /var/lib/shim-signed/mok/MOK*
+
+# Enroll keys into system
+sudo mokutil --import /var/lib/dkms/mok.pub
+# OR (on Ubuntu)
+sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
+```
+You need to reboot your PC after that, you will be greeted with blue screen dialog.
+Choose "Enroll MOK", then "Continue" and "Yes". After that choose "Reboot system".
+
+Now DKMS should sign updated modules automatically as they updated.
+
+[Reference](https://github.com/dell/dkms/blob/master/README.md#module-signing)
+
+### Manually create MOK key and manually sign kernel module
+```
+# This creates Machine Owner Key
+openssl req -new -x509 -newkey rsa:2048 -keyout mok.key -outform DER -out mok.pub -nodes -days 36500 -subj "/CN=$hostname kernel module signing key/"
+
+# This loads it into UEFI
+sudo mokutil --import mok.pub
+```
+
+You need to reboot your PC after that, you will be greeted with blue screen dialog
+Choose "Enroll MOK", enter your MOK password if exists, then "Continue", "Yes", and then reboot your system.
+
+After that you can manually sign your built kernel module like so (feel free to adjust paths to keys/certificate/modules):
+```
+sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 mok.key mok.pub hid-universal-pidff.ko
+```
+
+Then you should be able to load driver like so:
+```
+sudo insmod hid-universal-pidff.ko
+```
Author	SHA1	Message	Date
Oleg	bfbdb9620e	Update information about key path	2024-07-19 11:55:35 +03:00
Oleg	38c629829f	Fix spelling	2024-07-18 06:11:49 +03:00
Oleg	b58aee4403	Only unsigned modules affected	2024-07-17 18:19:58 +03:00
Oleg	34d6d6b294	Fix typo	2024-07-17 18:19:22 +03:00
Oleg	3ff83db322	We need to install driver, not use it	2024-07-17 17:56:17 +03:00
Oleg	d2585bcf17	Small change to README.md	2024-07-17 17:55:47 +03:00
Oleg	c092780bf3	Added signing section to the README	2024-07-17 17:54:35 +03:00
Makarenko Oleg	dcdd8c1e6a	Merge pull request #14 from JacKeTUs/docs-update Some README changes	2024-07-16 18:13:10 +03:00