'Secure Boot' and Signed Kernel Drivers

In order for a system to run with Secure Boot enabled, the kernel itself must have been built with support for signed kernel modules. This is usually the case with current Linux distributions.

If Secure Boot is actually enabled in the UEFI setup, only kernel modules that have a trusted cryptographic signature will be loaded.

Of course, kernel modules supplied by a particular distribution are already signed with the private key of that distribution, and the associated certificate for verifying the signatures is of course already registered and considered trustworthy during system installation.

If you want to use any self-compiled kernel module on your system, you either have to disable Secure Boot in the UEFI setup, or you have to create your own key for signing self-compiled kernel modules and register it in the system.

Since you have to create your own key/certificate and the private key must only be known to you, it is hardly possible to automate this process. This article provides some hints how this can be done:
https://unix.stackexchange.com/questions/751517/insmod-causes-key-rejected-by-service

If you don't have a personal key/certificate to sign the compiled kernel module and don't want to create one, on some Linux systems you may receive a warning message that contains text like this when trying to install the kernel module:

sign-file: certs/signing_key.pem: No such file or directory

This indicates that there is no suitable key available to sign the newly created module when you try to install the module.

Unless Secure Boot is enabled in the UEFI setup, you can simply ignore this warning message. The kernel module can still be loaded normally and used without restrictions.

— Martin Burnicki martin.burnicki@meinberg.de, last updated 2024-12-13