Automating OpenRazer Driver Signing on Fedora with DKMS and Secure Boot
When setting up OpenRazer drivers on a Fedora system with Secure Boot enabled, the drivers need to be signed for the kernel to accept them. Manual signing can become repetitive, especially with each new kernel update. Luckily, we can use DKMS and a single key (mok.pub) to streamline this process. In this guide, I’ll walk you through how DKMS handles module signing, why the mok.pub key works universally, and how to set it up on your Fedora system.
Why Use DKMS and mok.pub?
DKMS (Dynamic Kernel Module Support) automates the building and signing of kernel modules. The mok.pub key, generated by DKMS, acts as a universal signature. By enrolling this key in your EFI (Extensible Firmware Interface), you allow your Fedora system to trust any DKMS-managed modules, including OpenRazer, DisplayLink (EVDI), and others, simplifying the signing process.
Here’s how to set up DKMS and mok.pub to automate the signing of your OpenRazer drivers.
Step 1: Install DKMS and OpenRazer
First, ensure DKMS and mokutil are installed, as well as the OpenRazer drivers:
sudo dnf install dkms mokutil openrazer-meta
Step 2: Enroll the DKMS Key with Secure Boot
The mok.pub key, located at /var/lib/dkms/mok.pub, is automatically generated by DKMS. This key is used to sign all DKMS-built modules, meaning it will work for OpenRazer and other modules without needing specific driver names.
To enroll this key:
sudo mokutil --import /var/lib/dkms/mok.pub
Step 3: Complete Key Enrollment in EFI
After running the command above, reboot your system. During startup, you’ll be prompted to complete the MOK enrollment. Follow the on-screen instructions to import the key in the EFI firmware.
Step 4: Verify Key Enrollment (Optional)
After rebooting, you can confirm the key was successfully enrolled by running:
mokutil --list-enrolled | grep DKMS
If the mok.pub key appears in the list, you’re all set!
Step 5: Let DKMS Handle New Kernel Signing
From now on, DKMS will automatically sign the OpenRazer module (and any other DKMS-managed modules) each time a new kernel is installed. If for some reason a module isn’t signed after a kernel update, you can manually trigger DKMS to sign it:
sudo dkms autoinstall
Why This Method Works
The mok.pub key is general-purpose, allowing your Fedora system to trust any kernel module signed with it. Since DKMS takes care of signing modules as they’re built or rebuilt, you won’t need to sign them manually after each kernel update. This setup also improves security by only loading trusted modules while ensuring convenience.
Conclusion
By enrolling the DKMS mok.pub key, you streamline the OpenRazer driver installation on Fedora and eliminate the need for repeated manual signing. This method not only saves time but also secures your system, letting Secure Boot only load verified modules.
Enjoy !
AlexIn Tech