Enabling Secure Boot with SupremeRAID™ on Ubuntu

Enabling Secure Boot with SupremeRAID™ on Ubuntu

Environment

RAID Model: SR1000 or SR1010 etc

Host Hardware: AMD/Intel/Supermicro model etc

Operating System: Linux Ubuntu etc


Issue

Setting up Secure Boot with SupremeRAID™ requires proper key enrollment for loading both the SupremeRAID and NVIDIA drivers under Secure Boot. Without correct configuration, Secure Boot may remain disabled, preventing a secure boot process.

Resolution

Follow these steps to enable Secure Boot with custom Machine Owner Keys (MOK) for SupremeRAID™.

Note: This approch is using DKMS's Module signing, user can re-generate an MOK key or using the DKMS's MOK key.

Step 1: Disable Secure Boot in BIOS/UEFI


            Enter BIOS/UEFI Settings:  Set Secure Boot to "Disabled" temporarily to allow driver installation and signing.

Step 2: Install SupremeRAID Pre-Installer and Installer

  1. Download the pre-installer in Graid's website and then run the Pre-Installer to setup environment:

  1. wget <pre-installer.run>
  2. sudo chmod +x <pre-installer.run>
  3. sudo ./<pre-installer.run>
   2. Download theSupremeRAID Driver in Graid's website and then run the Installer:
  1. wget <graid-sr-installer.run>
  2. sudo chmod +x  <graid-sr-installer.run>
  3. sudo ./ <graid-sr-installer.run>
      Example: (Take SR1010 for example, user need to download the correct package with your card) 
  1.  wget https://download.graidtech.com/driver/sr/linux/1.6.1/release/graid-sr-installer-1.6.1-010-308-273.run
  2.  sudo chmod +x graid-sr-installer-1.6.1-010-308-273.run
  3.  sudo ./graid-sr-installer-1.6.1-010-308-273.run

Step 3: Prepare MOK Key for Secure Boot

There are two ways to obtain the MOK key:
      -. User-Generated MOK Key
            Generate your own MOK key and certificate:

  1.             openssl req -new -x509 -newkey rsa:2048 -keyout ~/certs/MOK.key -out ~/certs/MOK.crt -nodes -days 3650 -subj "/CN=User Generated MOK/"

    -. Use DKMS-Generated MOK Key:
         The DKMS will auto-sign and generate the MOK key in `/var/lib/shim-signed/mok/` path, you can use this key and certificate directly if you would not want to generate a new Key.


Step 4: Re-sign the Driver Using DKMS

The pre-installer version 1.6.1-119 does not automatically sign the NVIDIA driver with a MOK key. Therefore, users need to manually re-sign the NVIDIA driver.

If you choose to generate your own MOK key, you will need to re-sign all the Graid/grebar and NVIDIA drivers with your custom MOK key. Otherwise, if using the existing MOK key, only the NVIDIA driver requires re-signing.


Rebuild DKMS with the MOK Key:
      
After the MOK key is imported, rebuild and sign the NVIDIA driver using DKMS:sudo dkms remove -m <driver-name> -v <version>
  1. sudo dkms build -m <driver-name> -v <version>
  2. sudo dkms install -m <driver-name> -v <version>
Example: 
  1.  sudo dkms remove -m nvidia -v 550.67
  2.  sudo dkms build -m nvidia -v 550.67
  3.  sudo dkms install -m nvidia -v 550.6


Using a Self-Generated MOK Key, resign all modules:
            Import the MOK key in advance using:
  1. sudo mokutil --import ~/certs/MOK.crt
  2. reboot
      After reboot the system, and confirm the MOK key enrollment in the MOK Manager during boot, then re-sing all the drivers(NVIDIA, greber and graid driver)
  1. sudo dkms remove -m <driver-name> -v <version>
  2. sudo dkms build -m <driver-name> -v <version>
  3. sudo dkms install -m <driver-name> -v <version>
Example: 
  1.  sudo dkms remove -m nvidia -v 550.67
  2.  sudo dkms build -m nvidia -v 550.67
  3.  sudo dkms install -m nvidia -v 550.67
  4.  sudo dkms remove -m graid -v 1.6.1
  5.  sudo dkms build -m graid -v 1.6.1
  6.  sudo dkms install -m graid -v 1.6.1
  7.  sudo dkms remove -m grebar -v 0.1.0
  8.  sudo dkms build -m grebar -v 0.1.0
  9.  sudo dkms install -m grebar -v 0.1.0

Step 5: Set Up Secure Boot Process with MOK management

 The DKMS will auto-sign and generate the MOK key in `/var/lib/shim-signed/mok/` path.

  1.  sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
 
 You'll be prompted to create a password. Enter it twice, it can also be blank.
Reboot the computer. At boot you'll see the MOK Manager EFI interface:

SHIM UEFI key management



Press any key to enter it, then select "Enroll MOK":

Perform MOK management



Then select "Continue":

Enroll MOK



And confirm with "Yes" when prompted:



After this, enter the password you set up with mokutil --import in the previous step:



At this point you are done, select "OK" and the computer will reboot trusting the key for your modules:

Perform MOK management


After reboot, you can inspect the MOK certificates with the following command:
  1. sudo  mokutil --list-enrolled | grep 'Subject: CN'
Example:



To check the signature on a built DKMS module that is installed on a system:
  1. sudo modinfo <module> | grep 'signer:'
Example:
  1. sudo modinfo nvidia | grep 'signer:'
  2. sudo modinfo graid | grep 'signer:'
  3. sudo modinfo grebar | grep 'signer:'

The module can now be loaded without issues.

And you can check the Secure Boot status 
  1. mokutil --sb-state
You should see the output as follow:

  1. SecureBoot enabled



    • Related Articles

    • Offline install SupremeRAID driver(Ubuntu)#

      Environment RAID Model: SR1000 or SR1010, SR1001 Host Hardware: Intel, AMD Operating System: Linux Deb base(Ubuntu) Issue When users need to install the SupremRAID driver but cannot connect to the external network. Resolution Prepare an environment ...
    • How to Configure QEMU with SupremeRAID RAID as a Datastore for Virtual Machines #

      Environment RAID Model: All Supreme RAID model Host Hardware: AMD/Intel Operating System: Linux RHEL QEMU Description Virtualization has become an essential tool for modern computing, enabling multiple virtual machines (VMs) to operate on a single ...
    • Offline install SupremeRAID driver#

      Environment RAID Model: SR1000 or SR1010, SR1001 Host Hardware: Intel, AMD Operating System: Linux RPM base(Alamlinux, CentOS, RHEL, Oracle Linux) Issue When users need to install the SupremRAID driver but cannot connect to the external network. ...
    • Installation Guide for SupremeRAID driver

      Environment RAID Model: SR1000 or SR1010 etc Host Hardware: AMD/Intel/Supermicro model etc Operating System: Linux etc Issue Beginning using SupremeRAID Resolution Linux Step 1: Downloading the Required Scripts ...
    • Understanding the 'Buffer I/O error' Message During CentOS 7.9 Boot-Up#

      Environment RAID Model: all Graid card Host Hardware: every platform Operating System: Linux CentOS 7 Issue When booting up a CentOS 7.9 system, users may encounter an error message that reads "Buffer I/O error on dev [gpdXn1], logical block 0, async ...