Secure Boot

Most modern PCs include "secure boot" technology that is able to check the bootloader and kernel for signs of tampering and protect against rootkits. Some distributions extend this protection to kernel modules as well. These protections can be a problem when trying to intentionally load an out-of-tree module like input-wacom, however. The typical symptom is a non-working tablet and the message Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7 showing up in the output of dmesg. This page describes how to configure your system so that a trusted module is built. A high-level overview of how module signing works is also available.

Note that if you've already set up your system, then you only need to follow the build instructions. It is not necessary to re-generate or re-register the secure boot keys. Version 0.43.0 and later of input-wacom should auto-discover the keys when using a Debian-based distribution (Ubuntu, Mint, etc) but will need the paths explicitly provided (e.g. /root/MOK.priv and /root/MOK.der) with Fedora and other distributions.

Enabling and Disabling Secure Boot

Disabling secure boot is not recommended, but it can confirm if your issue really is due to secure boot rather than some other problem. The precise steps to disable secure boot will vary between systems but the following is fairly typical:

1. Print these instructions or open them on another computer.

2. Save and close any open documents and programs.

3. Run systemctl reboot --firmware-setup to restart the computer and enter the UEFI (BIOS) setup

• NOTE: If this command does not work, reboot the computer normally and when the manufacturer logo is displayed press the appropriate key to enter UEFI (BIOS) setup. This will typically be "F2", "Del", "Enter", etc.

4. Open the "Secure Boot" item in the "Security" tab

5. Change the "Secure Boot" item to "Disabled"

6. Save and exit setup

Once secure boot has been disabled, the Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7 message should no longer be present in dmesg and your tablet should begin working. If the message is still present, you will need to verify that you have actually disabled secure boot. If the message is not present but the tablet still does not work, you will need to ensure that your input-wacom driver was installed properly.

If the tablet works properly, you should re-enable secure boot and then proceed to the following section.

Creating and Registering Keys

In order for the input-wacom driver to load with secure boot enabled, the system must recognize it as a trusted kernel module. This first requires you to create a signing key and register it with the system. Once the signing key is generated and registered, it can be used in the build process to produce a signed driver that the system will trust.

Ubuntu, Mint, Debian

Ubuntu provides a helper tool that simplifies much of the configuration process. Use the following instructions to set up your system:

1. Run sudo update-secureboot-policy --new-key to create a key

• NOTE: This will check to see if a key already exists and reuse it if possible.

2. Run sudo update-secureboot-policy --enroll-key to enroll the key into the MOK database

• NOTE: If the command indicates that secure boot is not enabled, you will need to enable it first.
• NOTE: If the command indicates that no DKMS modules are installed, you will need to run sudo mokutil --import /var/lib/shim-signed/mok/MOK.der instead
• NOTE: If the command completes with no message, the key has already been imported. Skip to "Compiling a Signed Module" below.

3. Enter a temporary password at the input password: prompt, and repeat it when asked.

• NOTE: This password will only be used once at the next reboot to ensure you are physically present. It is okay to use something simple like password or 12345.

4. Reboot the computer. A blue screen titled "Perform MOK management" will start instead of Linux.

• NOTE: If you do not respond within 10 seconds the computer continue the boot process and load Linux. If this happens you can simply go back to step 2.

5. Select the "Enroll MOK" option, and then "Continue", and "Yes".

6. When asked for a password, type in the temporary password from step 3.

7. Select "Reboot"

Fedora, SUSE, Arch Linux, etc.

1. Run the following command to create an OpenSSL configuration file:

$ cat << EOF > sboot_openssl.config
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
default_md = sha256
default_days = 36500
utf8 = yes

[ req_distinguished_name ]
CN = $(uname -n) Secure Boot Module Signature key

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

2. Run sudo openssl req -x509 -new -nodes -batch -config sboot_openssl.config -out /root/MOK.der -outform der -keyout /root/MOK.priv to generate a keypair for secure boot.

3. Run sudo mokutil --import /root/MOK.der to enroll the key into the MOK database.

4. Enter a temporary password at the input password: prompt, and repeat it when asked.

• NOTE: This password will only be used once at the next reboot to ensure you are physically present. It is okay to use something simple like password or 12345.

5. Reboot the computer. A blue screen titled "Perform MOK management" will start instead of Linux.

• NOTE: If you do not respond within 10 seconds the computer continue the boot process and load Linux. If this happens you can simply go back to step 3.

6. Select the "Enroll MOK" option, and then "Continue", and "Yes".

7. When asked for a password, type in the temporary password from step 4.

8. Select "Reboot"

Building a Signed Driver

Once the system has been configured by following the instructions above, it should be possible to build the driver using the standard build instructions.

References

• Ubuntu wiki "SecureBoot" page
• Ubuntu wiki "Signing" page
• Fedora Docs "Working with Kernel Modules" page