Environment
RAID Model: SR1000 or SR1010 etc
Host Hardware: AMD/Intel/Supermicro model etc
Operating System: Linux Ubuntu etc
Issue
Setting up Secure Boot with SupremeRAID™ requires proper key enrollment for loading both the SupremeRAID and NVIDIA drivers under Secure Boot. Without correct configuration, Secure Boot may remain disabled, preventing a secure boot process.
Resolution
Follow these steps to enable Secure Boot with custom Machine Owner Keys (MOK) for SupremeRAID™.
Note: This approch is using DKMS's Module signing, user can re-generate an MOK key or using the DKMS's MOK key.
Step 1: Disable Secure Boot in BIOS/UEFI
Enter BIOS/UEFI Settings: Set Secure Boot to "Disabled" temporarily to allow driver installation and signing.
Step 2: Install SupremeRAID Pre-Installer and Installer
- Download the pre-installer in Graid's website and then run the Pre-Installer to setup environment:
- wget <pre-installer.run>
- sudo chmod +x <pre-installer.run>
- sudo ./<pre-installer.run>
2. Download theSupremeRAID Driver in Graid's website and then run the Installer:
- wget <graid-sr-installer.run>
- sudo chmod +x <graid-sr-installer.run>
- sudo ./ <graid-sr-installer.run>
Step 3: Prepare MOK Key for Secure Boot
There are two ways to obtain the MOK key:
-. User-Generated MOK Key:
Generate your own MOK key and certificate:
- openssl req -new -x509 -newkey rsa:2048 -keyout ~/certs/MOK.key -out ~/certs/MOK.crt -nodes -days 3650 -subj "/CN=User Generated MOK/"
-. Use DKMS-Generated MOK Key:
The DKMS will auto-sign and generate the MOK key in `/var/lib/shim-signed/mok/` path, you can use this key and certificate directly if you would not want to generate a new Key.
Step 4: Re-sign the Driver Using DKMS
The pre-installer version 1.6.1-119 does not automatically sign the NVIDIA driver with a MOK key. Therefore, users need to manually re-sign the NVIDIA driver.
If you choose to generate your own MOK key, you will need to re-sign all the Graid/grebar and NVIDIA drivers with your custom MOK key. Otherwise, if using the existing MOK key, only the NVIDIA driver requires re-signing.
Rebuild DKMS with the MOK Key:
After the MOK key is imported, rebuild and sign the NVIDIA driver using DKMS:sudo dkms remove -m <driver-name> -v <version>
- sudo dkms build -m <driver-name> -v <version>
- sudo dkms install -m <driver-name> -v <version>
Example:
- sudo dkms remove -m nvidia -v 550.67
- sudo dkms build -m nvidia -v 550.67
- sudo dkms install -m nvidia -v 550.6
Using a Self-Generated MOK Key, resign all modules:
Import the MOK key in advance using:
- sudo mokutil --import ~/certs/MOK.crt
- reboot
After reboot the system, and confirm the MOK key enrollment in the MOK Manager during boot, then re-sing all the drivers(NVIDIA, greber and graid driver)
- sudo dkms remove -m <driver-name> -v <version>
- sudo dkms build -m <driver-name> -v <version>
- sudo dkms install -m <driver-name> -v <version>
Example:
- sudo dkms remove -m nvidia -v 550.67
- sudo dkms build -m nvidia -v 550.67
- sudo dkms install -m nvidia -v 550.67
- sudo dkms remove -m graid -v 1.6.1
- sudo dkms build -m graid -v 1.6.1
- sudo dkms install -m graid -v 1.6.1
- sudo dkms remove -m grebar -v 0.1.0
- sudo dkms build -m grebar -v 0.1.0
- sudo dkms install -m grebar -v 0.1.0
Step 5: Set Up Secure Boot Process with MOK management
The DKMS will auto-sign and generate the MOK key in `/var/lib/shim-signed/mok/` path.
- sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
You'll be prompted to create a password. Enter it twice, it can also be blank.
Reboot the computer. At boot you'll see the MOK Manager EFI interface:
Press any key to enter it, then select "Enroll MOK":
Then select "Continue":
And confirm with "Yes" when prompted:
After this, enter the password you set up with mokutil --import
in the previous step:
At this point you are done, select "OK" and the computer will reboot trusting the key for your modules:
After reboot, you can inspect the MOK certificates with the following command:
- sudo mokutil --list-enrolled | grep 'Subject: CN'
Example:
To check the signature on a built DKMS module that is installed on a system:
- sudo modinfo <module> | grep 'signer:'
Example:
- sudo modinfo nvidia | grep 'signer:'
- sudo modinfo graid | grep 'signer:'
- sudo modinfo grebar | grep 'signer:'
The module can now be loaded without issues.
And you can check the Secure Boot status
You should see the output as follow:
Related Articles
Offline install SupremeRAID driver(Ubuntu)#
Environment RAID Model: SR1000 or SR1010, SR1001 Host Hardware: Intel, AMD Operating System: Linux Deb base(Ubuntu) Issue When users need to install the SupremRAID driver but cannot connect to the external network. Resolution Prepare an environment ...
How to Configure QEMU with SupremeRAID RAID as a Datastore for Virtual Machines #
Environment RAID Model: All Supreme RAID model Host Hardware: AMD/Intel Operating System: Linux RHEL QEMU Description Virtualization has become an essential tool for modern computing, enabling multiple virtual machines (VMs) to operate on a single ...
Offline install SupremeRAID driver#
Environment RAID Model: SR1000 or SR1010, SR1001 Host Hardware: Intel, AMD Operating System: Linux RPM base(Alamlinux, CentOS, RHEL, Oracle Linux) Issue When users need to install the SupremRAID driver but cannot connect to the external network. ...
Installation Guide for SupremeRAID driver
Environment RAID Model: SR1000 or SR1010 etc Host Hardware: AMD/Intel/Supermicro model etc Operating System: Linux etc Issue Beginning using SupremeRAID Resolution Linux Step 1: Downloading the Required Scripts ...
Understanding the 'Buffer I/O error' Message During CentOS 7.9 Boot-Up#
Environment RAID Model: all Graid card Host Hardware: every platform Operating System: Linux CentOS 7 Issue When booting up a CentOS 7.9 system, users may encounter an error message that reads "Buffer I/O error on dev [gpdXn1], logical block 0, async ...