top of page

How to sign OpenRazer Driver on Fedora with DKMS and Secure Boot

Automating OpenRazer Driver Signing on Fedora with DKMS and Secure Boot

When setting up OpenRazer drivers on a Fedora system with Secure Boot enabled, the drivers need to be signed for the kernel to accept them. Manual signing can become repetitive, especially with each new kernel update. Luckily, we can use DKMS and a single key (mok.pub) to streamline this process. In this guide, I’ll walk you through how DKMS handles module signing, why the mok.pub key works universally, and how to set it up on your Fedora system.


Why Use DKMS and mok.pub?

DKMS (Dynamic Kernel Module Support) automates the building and signing of kernel modules. The mok.pub key, generated by DKMS, acts as a universal signature. By enrolling this key in your EFI (Extensible Firmware Interface), you allow your Fedora system to trust any DKMS-managed modules, including OpenRazer, DisplayLink (EVDI), and others, simplifying the signing process.

Here’s how to set up DKMS and mok.pub to automate the signing of your OpenRazer drivers.


Step 1: Install DKMS and OpenRazer

First, ensure DKMS and mokutil are installed, as well as the OpenRazer drivers:

sudo dnf install dkms mokutil openrazer-meta

Step 2: Enroll the DKMS Key with Secure Boot

The mok.pub key, located at /var/lib/dkms/mok.pub, is automatically generated by DKMS. This key is used to sign all DKMS-built modules, meaning it will work for OpenRazer and other modules without needing specific driver names.


To enroll this key:

sudo mokutil --import /var/lib/dkms/mok.pub

Step 3: Complete Key Enrollment in EFI

After running the command above, reboot your system. During startup, you’ll be prompted to complete the MOK enrollment. Follow the on-screen instructions to import the key in the EFI firmware.


Step 4: Verify Key Enrollment (Optional)

After rebooting, you can confirm the key was successfully enrolled by running:

mokutil --list-enrolled | grep DKMS

If the mok.pub key appears in the list, you’re all set!


Step 5: Let DKMS Handle New Kernel Signing

From now on, DKMS will automatically sign the OpenRazer module (and any other DKMS-managed modules) each time a new kernel is installed. If for some reason a module isn’t signed after a kernel update, you can manually trigger DKMS to sign it:

sudo dkms autoinstall

Why This Method Works

The mok.pub key is general-purpose, allowing your Fedora system to trust any kernel module signed with it. Since DKMS takes care of signing modules as they’re built or rebuilt, you won’t need to sign them manually after each kernel update. This setup also improves security by only loading trusted modules while ensuring convenience.


Conclusion

By enrolling the DKMS mok.pub key, you streamline the OpenRazer driver installation on Fedora and eliminate the need for repeated manual signing. This method not only saves time but also secures your system, letting Secure Boot only load verified modules.


Enjoy !

AlexIn Tech

1 view
bottom of page