7

Is there a way to properly list the drivers or kernel modules that are affected by enabling SecureBoot on my machine?

On my machine, I have an NVIDIA video card and I have installed its binary drivers through the PPA.

I have enrolled my own machine owner's key (MOK) and have signed some of the relevant kernel modules. That seems to work, but it's all just guess work: I just typed modinfo -n nvidia and then used tab-completion to show the kernel modules with names starting with "nvidia". But how do I know I have been thorough and have not missed anything?

Kal
  • 395
  • I don't know of a way to do this. EFI binaries can be signed with sbsign and verified with sbverify. Kernel modules, OTOH, are signed with sign-file, which is part of the kernel source tree, and I don't see any obvious verification tool in the directory that holds sign-file. The closest I can think of to doing what you want is to enable Secure Boot and then try loading the kernel module with modprobe and then see if it's loaded with lsmod. If the module loads, then either it's signed or the kernel is not honoring Secure Boot. – Rod Smith Jun 09 '17 at 12:53

1 Answers1

5

All kernel modules that are signed will have ~Module signature appended~\n appended to the end of the file. (Source) To find out if there are any unsigned kernel modules, you can simply search for all *.ko files that don't have the magic string.

For example:

find /lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
Andrew Gunnerson
  • 4,398