Environment
RAID Model: SR1000 or SR1010 etc
Host Hardware: AMD/Intel/Supermicro model etc
Operating System: Linux Ubuntu etc
Issue
Setting up Secure Boot with SupremeRAID™ requires proper key enrollment for loading both the SupremeRAID and NVIDIA drivers under Secure Boot. Without correct configuration, Secure Boot may remain disabled, preventing a secure boot process.
Resolution
Follow these steps to enable Secure Boot with custom Machine Owner Keys (MOK) for SupremeRAID™.
Note: This approch is using DKMS's Module signing, user can re-generate an MOK key or using the DKMS's MOK key.
Step 1: Disable Secure Boot in BIOS/UEFI
Enter BIOS/UEFI Settings: Set Secure Boot to "Disabled" temporarily to allow driver installation and signing.
Step 2: Install SupremeRAID Pre-Installer and Installer
- Download the pre-installer in Graid's website and then run the Pre-Installer to setup environment:
- wget <pre-installer.run>
- sudo chmod +x <pre-installer.run>
- sudo ./<pre-installer.run>
2. Download theSupremeRAID Driver in Graid's website and then run the Installer:
- wget <graid-sr-installer.run>
- sudo chmod +x <graid-sr-installer.run>
- sudo ./ <graid-sr-installer.run>
Step 3: Prepare MOK Key for Secure Boot
There are two ways to obtain the MOK key:
-. User-Generated MOK Key:
Generate your own MOK key and certificate:
- openssl req -new -x509 -newkey rsa:2048 -keyout ~/certs/MOK.key -out ~/certs/MOK.crt -nodes -days 3650 -subj "/CN=User Generated MOK/"
-. Use DKMS-Generated MOK Key:
The DKMS will auto-sign and generate the MOK key in `/var/lib/shim-signed/mok/` path, you can use this key and certificate directly if you would not want to generate a new Key.
Step 4: Re-sign the Driver Using DKMS
The pre-installer version 1.6.1-119 does not automatically sign the NVIDIA driver with a MOK key. Therefore, users need to manually re-sign the NVIDIA driver.
If you choose to generate your own MOK key, you will need to re-sign all the Graid/grebar and NVIDIA drivers with your custom MOK key. Otherwise, if using the existing MOK key, only the NVIDIA driver requires re-signing.
Rebuild DKMS with the MOK Key:
After the MOK key is imported, rebuild and sign the NVIDIA driver using DKMS:sudo dkms remove -m <driver-name> -v <version>
- sudo dkms build -m <driver-name> -v <version>
- sudo dkms install -m <driver-name> -v <version>
Example:
- sudo dkms remove -m nvidia -v 550.67
- sudo dkms build -m nvidia -v 550.67
- sudo dkms install -m nvidia -v 550.6
Using a Self-Generated MOK Key, resign all modules:
Import the MOK key in advance using:
- sudo mokutil --import ~/certs/MOK.crt
- reboot
After reboot the system, and confirm the MOK key enrollment in the MOK Manager during boot, then re-sing all the drivers(NVIDIA, greber and graid driver)
- sudo dkms remove -m <driver-name> -v <version>
- sudo dkms build -m <driver-name> -v <version>
- sudo dkms install -m <driver-name> -v <version>
Example:
- sudo dkms remove -m nvidia -v 550.67
- sudo dkms build -m nvidia -v 550.67
- sudo dkms install -m nvidia -v 550.67
- sudo dkms remove -m graid -v 1.6.1
- sudo dkms build -m graid -v 1.6.1
- sudo dkms install -m graid -v 1.6.1
- sudo dkms remove -m grebar -v 0.1.0
- sudo dkms build -m grebar -v 0.1.0
- sudo dkms install -m grebar -v 0.1.0
Step 5: Set Up Secure Boot Process with MOK management
The DKMS will auto-sign and generate the MOK key in `/var/lib/shim-signed/mok/` path.
- sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
You'll be prompted to create a password. Enter it twice, it can also be blank.
Reboot the computer. At boot you'll see the MOK Manager EFI interface:
Press any key to enter it, then select "Enroll MOK":
Then select "Continue":
And confirm with "Yes" when prompted:
After this, enter the password you set up with mokutil --import
in the previous step:
At this point you are done, select "OK" and the computer will reboot trusting the key for your modules:
After reboot, you can inspect the MOK certificates with the following command:
- sudo mokutil --list-enrolled | grep 'Subject: CN'
Example:
To check the signature on a built DKMS module that is installed on a system:
- sudo modinfo <module> | grep 'signer:'
Example:
- sudo modinfo nvidia | grep 'signer:'
- sudo modinfo graid | grep 'signer:'
- sudo modinfo grebar | grep 'signer:'
The module can now be loaded without issues.
And you can check the Secure Boot status
You should see the output as follow: