Secure boot is a setup using UEFI firmware to check cryptographic
signatures on the bootloader and associated OS kernel to ensure they
have not been tampered with or bypassed in the boot process.
This verification can be extended to Kernel and its modules.
It's default case in Fedora with UEFI and Secure boot enabled.
Fedora Project have signed kernels and also main modules with Fedora
Key, but 3rd party modules as NVidia, VirtualBox, etc. need to be signed
Akmods provides an enroll process to sign third party modules with your
At the first run of the akmods.service, certificate and keypair will be
created with default value using the '/usr/sbin/kmodgenca' script.
You may also wish to manually create your own certificate and keypair
with `/usr/sbin/kmodgenca` command.
If '/usr/sbin/kmodgenca' is launched with the '-a' parameter, it will
use default values to complete the cacert.config file, and to generate
automatically the cert and the private key.
If '/usr/sbin/kmodgenca' is launched without parameters, user will be
prompted to complete manually the cacert.config file, then the cert and
the private key will be automatically generated.
If the cert and the private key files already exist,
'/usr/sbin/kmodgenca' will exit unless the '-f' parameter is used.
The cert and the private key are stored respectively in
/etc/pki/akmods/certs and /etc/pki/akmods/private/ directories.
Now you need to enroll the public key in MOK, this process is described
- Ask MOK to enroll new keypair with certificate with the command
`mokutil --import /etc/pki/akmods/certs/public_key.der`.
- mokutil asks to generate a password to enroll the public key.
- Rebooting the system is needed for MOK to enroll the new public key.
- On next boot MOK Management is launched and you have to choose
- Choose "Continue" to enroll the key or "View key 0" to show the keys
- Confirm enrollment by selecting "Yes".
- You will be invited to enter the password generated above.
WARNING: keyboard is mapped to QWERTY!
- The new key is enrolled, and system ask you to reboot.
You can confirm the enrollment of the new keypair once the system
`mokutil --list-enrolled | grep Issuer`
`mokutil --test-key /etc/pki/akmods/certs/public_key.der`