feat: add Secure Boot MOK key enrollment and module signing

Generate DKMS MOK key pair during OS install, sign all unsigned kernel modules, and enroll the MOK certificate using the user's master password. On reboot, MokManager prompts the user to complete enrollment. Re-enrolls on every boot if the key exists but isn't enrolled yet. Adds setup wizard dialog to inform the user about the MokManager prompt.
2026-03-30 04:01:58 +00:00 · 2026-03-11 15:18:13 -06:00
parent 10a5bc0280
commit effcec7e2e
23 changed files with 400 additions and 20 deletions
--- a/build/lib/scripts/upgrade
+++ b/build/lib/scripts/upgrade
@@ -83,6 +83,15 @@ if [ -d /sys/firmware/efi ] && [ -f /media/startos/config/efi-installer-entry ];
    fi
 fi

+# Sign unsigned kernel modules for Secure Boot
+SIGN_FILE="$(ls -1 /media/startos/next/usr/lib/linux-kbuild-*/scripts/sign-file 2>/dev/null | head -1)"
+/media/startos/next/usr/lib/startos/scripts/sign-unsigned-modules \
+    --source /media/startos/lower \
+    --dest /media/startos/config/overlay \
+    --sign-file "$SIGN_FILE" \
+    --mok-key /media/startos/config/overlay/var/lib/dkms/mok.key \
+    --mok-pub /media/startos/config/overlay/var/lib/dkms/mok.pub
+
 sync

 umount -Rl /media/startos/next