Some time ago, I needed to use the v4l2loopback module. It can be installed via:
$ sudo apt install v4l2loopback-dkms
Normally, after installing a module, you can just modprobe it, and it will load. However, due to Secure Boot, it will fail.
$ sudo modprobe v4l2loopback
modprobe: ERROR: could not insert 'v4l2loopback': Operation not permitted
The problem is that the v4l2loopback module isn’t signed. For example, compare the output of:
$ /usr/sbin/modinfo -F signer v4l2loopback
which is empty, versus
$ /usr/sbin/modinfo -F signer xor
Debian Secure Boot CA
The solution is to sign the v4l2loopback module ourselves.
Creating a key
The update-secureboot-policy script available in Ubuntu’s shim-signed package is able to generate Machine Owner Keys (MOK) by itself. However, the version currently available in Debian Unstable doesn’t have the key-generation functionality. We can either fetch the Ubuntu version or generate the keys ourselves.
$ wget https://git.launchpad.net/ubuntu/+source/shim-signed/plain/update-secureboot-policy
$ chmod +x ./update-secureboot-policy
$ sudo ./update-secureboot-policy --new-key
Or by generating the keys ourselves:
$ sudo mkdir -p /var/lib/shim-signed/mok
$ cd /var/lib/shim-signed/mok/
$ sudo openssl genrsa -aes256 -out MOK.priv
$ sudo openssl req
-subj "/CN=`hostname -s | cut -b1-31` Secure Boot Module Signature key"
-new -x509 -nodes -days 36500 -outform DER
-key MOK.priv
-out MOK.der
Write down the passphrase for your private key. You will need it whenever you want to sign drivers.
Now we enroll the newly created key:
$ sudo mokutil --import MOK.der
You will be prompted for a password. This password will be required after reboot in order to complete the key enrollment. You will not need it afterward.
After rebooting, check that your key was indeed enrolled:
$ mokutil --list-enrolled
Signing the module
We need to put the passphrase for the private key in the KBUILD_SIGN_PIN environment variable:
$ read -s KBUILD_SIGN_PIN
$ export KBUILD_SIGN_PIN
Now we can do the actual signing:
$ cd /usr/lib/modules/$(uname -r)/updates/dkms
$ sudo --preserve-env=KBUILD_SIGN_PIN /usr/lib/linux-kbuild-$(uname -r | cut -d. -f1-2)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK{.priv,.der} v4l2loopback.ko
You will need to repeat this step for every new kernel that you install.