Secure Boot - linuxwacom/input-wacom GitHub Wiki

Most modern PCs include "secure boot" technology that is able to check the bootloader and kernel for signs of tampering and protect against rootkits. Some distributions extend this protection to kernel modules as well. These protections can be a problem when trying to intentionally load an out-of-tree module like input-wacom, however. The typical symptom is a non-working tablet and the message Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7 showing up in the output of dmesg. This page describes how to configure your system so that a trusted module is built. A high-level overview of how module signing works is also available.

Note that if you've already set up your system, then you only need to follow the build instructions. It is not necessary to re-generate or re-register the secure boot keys. Version 0.43.0 and later of input-wacom should auto-discover the keys when using a Debian-based distribution (Ubuntu, Mint, etc) but will need the paths explicitly provided (e.g. /root/MOK.priv and /root/MOK.der) with Fedora and other distributions.

Enabling and Disabling Secure Boot

Disabling secure boot is not recommended, but it can confirm if your issue really is due to secure boot rather than some other problem. The precise steps to disable secure boot will vary between systems but the following is fairly typical:

  1. Print these instructions or open them on another computer.

  2. Save and close any open documents and programs.

  3. Run systemctl reboot --firmware-setup to restart the computer and enter the UEFI (BIOS) setup

  • NOTE: If this command does not work, reboot the computer normally and when the manufacturer logo is displayed press the appropriate key to enter UEFI (BIOS) setup. This will typically be "F2", "Del", "Enter", etc.

  1. Open the "Secure Boot" item in the "Security" tab

  2. Change the "Secure Boot" item to "Disabled"

  3. Save and exit setup

Once secure boot has been disabled, the Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7 message should no longer be present in dmesg and your tablet should begin working. If the message is still present, you will need to verify that you have actually disabled secure boot. If the message is not present but the tablet still does not work, you will need to ensure that your input-wacom driver was installed properly.

If the tablet works properly, you should re-enable secure boot and then proceed to the following section.

Creating and Registering Keys

In order for the input-wacom driver to load with secure boot enabled, the system must recognize it as a trusted kernel module. This first requires you to create a signing key and register it with the system. Once the signing key is generated and registered, it can be used in the build process to produce a signed driver that the system will trust.

Ubuntu, Mint, Debian

Ubuntu provides a helper tool that simplifies much of the configuration process. Use the following instructions to set up your system:

  1. Create the mokconfig.cnf file and paste these contents into it and replace the fields with YOUR on them in [ req_distinguished_name ] with your information
  • NOTE: Remove <> for YOUR info. YOURcountrycode should only have 2 letters. For example, USA is not an acceptable country code. You can only use US. Please check your country code "here".
# This definition stops the following lines failing if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd 
[ req ]
distinguished_name      = req_distinguished_name
x509_extensions         = v3
string_mask             = utf8only
prompt                  = no

[ req_distinguished_name ]
countryName             = <YOURcountrycode>
stateOrProvinceName     = <YOURstate>
localityName            = <YOURcity>
0.organizationName      = <YOURorganization>
commonName              = Secure Boot Signing Key
emailAddress            = <YOURemail>

[ v3 ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical,CA:FALSE
extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment               = "OpenSSL Generated Certificate"
  1. Run the following command to create the public and private key pair.
openssl req -config ./mokconfig.cnf \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 36500 -outform DER \
        -keyout "MOK.priv" \
        -out "MOK.der"

  1. Run sudo mokutil --import MOK.der to enroll the key into the MOK database.

  2. Enter a temporary password at the input password: prompt, and repeat it when asked.

  • NOTE: This password will only be used once at the next reboot to ensure you are physically present. It is okay to use something simple like password or 12345.
  1. Reboot the computer. A blue screen titled "Perform MOK management" will start instead of Linux.
  • NOTE: If you do not respond within 10 seconds the computer continue the boot process and load Linux. If this happens you can simply go back to step 2.

  1. Select the "Enroll MOK" option, and then "Continue", and "Yes".

  2. When asked for a password, type in the temporary password from step 3.

  3. Select "Reboot"

Fedora, SUSE, Arch Linux, etc.

  1. Run the following command to create an OpenSSL configuration file:
# cat << EOF > configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = Organization
CN = Organization signing key
emailAddress = E-mail address

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

  1. Run openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config configuration_file.config -outform DER -out public_key.der -keyout private_key.priv to generate a keypair for secure boot.

  2. Run sudo mokutil --import public_key.der to enroll the key into the MOK database.

  3. Enter a temporary password at the input password: prompt, and repeat it when asked.

  • NOTE: This password will only be used once at the next reboot to ensure you are physically present. It is okay to use something simple like password or 12345.
  1. Reboot the computer. A blue screen titled "Perform MOK management" will start instead of Linux.
  • NOTE: If you do not respond within 10 seconds the computer continue the boot process and load Linux. If this happens you can simply go back to step 3.

  1. Select the "Enroll MOK" option, and then "Continue", and "Yes".

  2. When asked for a password, type in the temporary password from step 4.

  3. Select "Reboot"

Building a Signed Driver

Once the system has been configured by following the instructions above, it should be possible to build the driver using the standard build instructions.

References

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️