Some time ago, I needed to use the v4l2loopback
module. It can be installed via:
$ sudo apt install v4l2loopback-dkms
Normally, after installing a module, you can just modprobe
it, and it will load. However, due to Secure Boot, it will fail.
$ sudo modprobe v4l2loopback
modprobe: ERROR: could not insert 'v4l2loopback': Operation not permitted
The problem is that the v4l2loopback
isn’t signed. For example, compare the output of:
$ /usr/sbin/modinfo -F signer v4l2loopback
which is empty, versus
$ /usr/sbin/modinfo -F signer xor
Debian Secure Boot CA
The solution would be to sign the v4l2loopback
module ourselves.
Creating a key
The update-secureboot-policy
script available in Ubuntu’s shim-signed
package is able to generate Machine Owner Keys (MOK) by itself. However, the currently available in Debian Unstable doesn’t have the key generation functionality. We can either fetch the Ubuntu version or generate the keys ourselves.
$ wget https://git.launchpad.net/ubuntu/+source/shim-signed/plain/update-secureboot-policy
$ chmod +x ./update-secureboot-policy
$ sudo ./update-secureboot-policy --new-key
Or through generating the keys ourselves:
$ sudo mkdir -p /var/lib/shim-signed/mok
$ cd /var/lib/shim-signed/mok/
$ sudo openssl genrsa -aes256 -out MOK.priv
$ sudo openssl req \
-subj "/CN=`hostname -s | cut -b1-31` Secure Boot Module Signature key" \
-new -x509 -nodes -days 36500 -outform DER \
-key MOK.priv \
-out MOK.der
Write down the passphrase for your private key. You will need it whenever you want to sign drivers.
Now we enroll the newly created key:
$ sudo mokutil --import MOK.der
You will be prompted for a password. This password will be required after reboot in order to complete the key enrollment, you will not need it afterwards.
After reboot, check that your key was indeed enrolled:
$ mokutil --list-enrolled
Signing the module
We need to put the passphrase for the private key in the KBUILD_SIGN_PIN
env variable:
$ read -s KBUILD_SIGN_PIN
$ export KBUILD_SIGN_PIN
Now we can do the actual signing:
$ cd /usr/lib/modules/$(uname -r)/updates/dkms
$ sudo --preserve-env=KBUILD_SIGN_PIN /usr/lib/linux-kbuild-$(uname -r | cut -d. -f1-2)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK{.priv,.der} v4l2loopback.ko
You will need to repeat this step for every new kernel that you install.