Enabling Secure Boot with SupremeRAID™ on Ubuntu

Environment

RAID Model: SR1000 or SR1010 etc

Host Hardware: AMD/Intel/Supermicro model etc

Operating System: Linux Ubuntu etc

Issue

Setting up Secure Boot with SupremeRAID™ requires proper key enrollment for loading both the SupremeRAID and NVIDIA drivers under Secure Boot. Without correct configuration, Secure Boot may remain disabled, preventing a secure boot process.

Resolution

Follow these steps to enable Secure Boot with custom Machine Owner Keys (MOK) for SupremeRAID™.

Note: This approch is using DKMS's Module signing, user can re-generate an MOK key or using the DKMS's MOK key.

Step 1: Disable Secure Boot in BIOS/UEFI

            Enter BIOS/UEFI Settings:  Set Secure Boot to "Disabled" temporarily to allow driver installation and signing.

Step 2: Install SupremeRAID Pre-Installer and Installer

1. Download the pre-installer in Graid's website and then run the Pre-Installer to setup environment:
   
   

1. wget <pre-installer.run>
   
2. sudo chmod +x <pre-installer.run>
3. sudo ./<pre-installer.run>
   

      Example: 

1.  wget https://download.graidtech.com/driver/pre-install/graid-sr-pre-installer-1.6.1-119-x86_64.run
   
2.  sudo chmod +x graid-sr-pre-installer-1.6.1-119-x86_64.run
   
3.  sudo ./graid-sr-pre-installer-1.6.1-119-x86_64.run

   2. Download theSupremeRAID Driver in Graid's website and then run the Installer:

1. wget <graid-sr-installer.run>
   
2. sudo chmod +x  <graid-sr-installer.run>
3. sudo ./ <graid-sr-installer.run>

      Example: (Take SR1010 for example, user need to download the correct package with your card) 

1.  wget https://download.graidtech.com/driver/sr/linux/1.6.1/release/graid-sr-installer-1.6.1-010-308-273.run
2.  sudo chmod +x graid-sr-installer-1.6.1-010-308-273.run
3.  sudo ./graid-sr-installer-1.6.1-010-308-273.run

Step 3: Prepare MOK Key for Secure Boot

There are two ways to obtain the MOK key:
      -. User-Generated MOK Key: 
            Generate your own MOK key and certificate:

1.             openssl req -new -x509 -newkey rsa:2048 -keyout ~/certs/MOK.key -out ~/certs/MOK.crt -nodes -days 3650 -subj "/CN=User Generated MOK/"

    -. Use DKMS-Generated MOK Key:
         The DKMS will auto-sign and generate the MOK key in `/var/lib/shim-signed/mok/` path, you can use this key and certificate directly if you would not want to generate a new Key.

Step 4: Re-sign the Driver Using DKMS

The pre-installer version 1.6.1-119 does not automatically sign the NVIDIA driver with a MOK key. Therefore, users need to manually re-sign the NVIDIA driver.

If you choose to generate your own MOK key, you will need to re-sign all the Graid/grebar and NVIDIA drivers with your custom MOK key. Otherwise, if using the existing MOK key, only the NVIDIA driver requires re-signing.

Rebuild DKMS with the MOK Key:
      After the MOK key is imported, rebuild and sign the NVIDIA driver using DKMS:sudo dkms remove -m <driver-name> -v <version>

1. sudo dkms build -m <driver-name> -v <version>
2. sudo dkms install -m <driver-name> -v <version>

Example: 

1.  sudo dkms remove -m nvidia -v 550.67
2.  sudo dkms build -m nvidia -v 550.67
3.  sudo dkms install -m nvidia -v 550.6

Using a Self-Generated MOK Key, resign all modules:

            Import the MOK key in advance using:

1. sudo mokutil --import ~/certs/MOK.crt
   
2. reboot
   

      After reboot the system, and confirm the MOK key enrollment in the MOK Manager during boot, then re-sing all the drivers(NVIDIA, greber and graid driver)

1. sudo dkms remove -m <driver-name> -v <version>
   
2. sudo dkms build -m <driver-name> -v <version>
   
3. sudo dkms install -m <driver-name> -v <version>

Example: 

1.  sudo dkms remove -m nvidia -v 550.67
2.  sudo dkms build -m nvidia -v 550.67
3.  sudo dkms install -m nvidia -v 550.67
4.  sudo dkms remove -m graid -v 1.6.1
5.  sudo dkms build -m graid -v 1.6.1
6.  sudo dkms install -m graid -v 1.6.1
   
7.  sudo dkms remove -m grebar -v 0.1.0
8.  sudo dkms build -m grebar -v 0.1.0
9.  sudo dkms install -m grebar -v 0.1.0

Step 5: Set Up Secure Boot Process with MOK management

 The DKMS will auto-sign and generate the MOK key in `/var/lib/shim-signed/mok/` path.

1.  sudo mokutil --import /var/lib/shim-signed/mok/MOK.der

 

 You'll be prompted to create a password. Enter it twice, it can also be blank.

Reboot the computer. At boot you'll see the MOK Manager EFI interface:

Press any key to enter it, then select "Enroll MOK":

Then select "Continue":

And confirm with "Yes" when prompted:

After this, enter the password you set up with mokutil --import in the previous step:

At this point you are done, select "OK" and the computer will reboot trusting the key for your modules:

After reboot, you can inspect the MOK certificates with the following command:

1. sudo  mokutil --list-enrolled | grep 'Subject: CN'

Example:

To check the signature on a built DKMS module that is installed on a system:

1. sudo modinfo <module> | grep 'signer:'

Example:

1. sudo modinfo nvidia | grep 'signer:'
   
2. sudo modinfo graid | grep 'signer:'
   
3. sudo modinfo grebar | grep 'signer:'

The module can now be loaded without issues.

And you can check the Secure Boot status 

1. mokutil --sb-state

You should see the output as follow:

1. SecureBoot enabled

Ref: https://github.com/dell/dkms

• Related Articles

• Offline install SupremeRAID driver(Ubuntu)#

  Environment RAID Model: SR1000 or SR1010, SR1001 Host Hardware: Intel, AMD Operating System: Linux Deb base(Ubuntu) Issue When users need to install the SupremRAID driver but cannot connect to the external network. Resolution Prepare an environment ...

• How to Configure QEMU with SupremeRAID RAID as a Datastore for Virtual Machines #

  Environment RAID Model: All Supreme RAID model Host Hardware: AMD/Intel Operating System: Linux RHEL QEMU Description Virtualization has become an essential tool for modern computing, enabling multiple virtual machines (VMs) to operate on a single ...

• Offline install SupremeRAID driver#

  Environment RAID Model: SR1000 or SR1010, SR1001 Host Hardware: Intel, AMD Operating System: Linux RPM base(Alamlinux, CentOS, RHEL, Oracle Linux) Issue When users need to install the SupremRAID driver but cannot connect to the external network. ...

• Installation Guide for SupremeRAID driver

  Environment RAID Model: SR1000 or SR1010 etc Host Hardware: AMD/Intel/Supermicro model etc Operating System: Linux etc Issue Beginning using SupremeRAID Resolution Linux Step 1: Downloading the Required Scripts ...

• Understanding the 'Buffer I/O error' Message During CentOS 7.9 Boot-Up#

  Environment RAID Model: all Graid card Host Hardware: every platform Operating System: Linux CentOS 7 Issue When booting up a CentOS 7.9 system, users may encounter an error message that reads "Buffer I/O error on dev [gpdXn1], logical block 0, async ...