How to Sign the OpenRazer Driver on Fedora with DKMS and Secure Boot

14 Nov, 2024·
AlexIn Tech
AlexIn Tech
· 3 min read

How to Sign the OpenRazer Driver on Fedora with DKMS and Secure Boot

Automating the signing of OpenRazer drivers on Fedora with DKMS and Secure Boot

When setting up OpenRazer drivers on a Fedora system with Secure Boot enabled, the drivers must be signed for the kernel to accept them. Manual signing can become repetitive, especially with each new kernel update. Fortunately, we can use DKMS and a unique key (mok.pub) to streamline this process. In this guide, I will explain how DKMS handles module signing, why the mok.pub key works universally, and how to set it up on your Fedora system.

Why use DKMS and mok.pub?

DKMS (Dynamic Kernel Module Support) automates the creation and signing of kernel modules. The mok.pub key, generated by DKMS, acts as a universal signature. By enrolling this key in your EFI (Extensible Firmware Interface), you allow your Fedora system to trust all modules managed by DKMS, including OpenRazer, DisplayLink (EVDI), and others, thus simplifying the signing process.

Here’s how to configure DKMS and mok.pub to automate the signing of your OpenRazer drivers.

Step 1: Install DKMS and OpenRazer

First, ensure that DKMS and mokutil are installed, along with the OpenRazer drivers:

sudo dnf install dkms mokutil openrazer-meta

Step 2: Register the DKMS key with Secure Boot

The mok.pub key, located in /var/lib/dkms/mok.pub, is automatically generated by DKMS. This key is used to sign all modules created by DKMS, meaning it will work for OpenRazer and other modules without requiring specific driver names.

To enroll this key:

sudo mokutil --import /var/lib/dkms/mok.pub

Step 3: Complete the key enrollment in EFI

After running the above command, restart your system. Upon boot, you will be prompted to complete the MOK enrollment. Follow the on-screen instructions to import the key into the EFI firmware.

Step 4: Verify the key enrollment (optional)

After rebooting, you can confirm that the key has been successfully enrolled by running:

mokutil --list-enrolled | grep DKMS

If the mok.pub key appears in the list, you are all set!

Step 5: Let DKMS handle new kernel signing

From now on, DKMS will automatically sign the OpenRazer module (and any other module managed by DKMS) each time a new kernel is installed. If for any reason a module is not signed after a kernel update, you can manually ask DKMS to sign it:

sudo dkms autoinstall

Why this method works

The mok.pub key is general-purpose, allowing your Fedora system to trust any kernel module signed with it. Since DKMS takes care of signing the modules as they are built or rebuilt, you won’t need to sign them manually after each kernel update. This setup also enhances security by only loading trusted modules while ensuring convenience.

Conclusion

By enrolling the DKMS mok.pub key, you simplify the installation of the OpenRazer driver on Fedora and eliminate the need for repetitive manual signing. This method not only saves time but also secures your system by allowing Secure Boot to load only verified modules.

Enjoy!

AlexIn Tech

Linux Fedora
AlexIn Tech
Authors
AlexIn Tech
SysOps Engineer | IT Teacher
Versatile IT Engineer with a dual specialization in System Engineering and Management, AlexIn Tech teaches IT to CFC apprentice IT specialists at ETML, the Technical School of Lausanne 🇨🇭. Passionate about IT, innovation, and knowledge sharing, he shares his discoveries and learnings here to inspire new generations.

Related