Secure boot
Newer computer systems with UEFI firmware sometimes have secure boot enabled that prohibits code to be loaded if it’s not signed by Microsoft. To bypass that, Linux distributions have a pre-loader called shim that gets signed by Microsoft, and which in turn can load code signed by the distribution, such as Canonical or Debian kernels and kernel modules.
This means that to compile and load third-party drivers like ours (or Nvidia’s), that are not signed by the Linux distributions, you would need to:
- Disable secure boot, which is the easiest solution, or
- Create you own driver signing key and sign the third-party drivers with it
But before starting to execute one of these methods, let’s make sure that you have secure boot enabled. Open a terminal and run this command:
sudo mokutil --sb-state
If it reports “SecureBoot enabled”, continue reading. If it reports “SecureBoot disabled”, please stop and email us, as your issue likely isn’t related to secure boot.
Disable secure boot
If you choose to disable secure boot, you need to enter the UEFI (BIOS) settings by pressing Del or some other key when your computer boots. For more information, see this askubuntu question. After you disable secure boot, you might need to run our installer again for the driver to load.
If you disable secure boot, you don’t need to read the rest of this document.
Create your own driver signing key
When you run our installer, and your Linux distribution detects that the user tries to install a third-party driver while secure boot is enabled, it shows a series of dialogs. You’re supposed to go through them, enter a “signing key password”, and then reboot and enter that password once more while the computer boots! It is a bit complicated, that’s why we suggest the “Disable secure boot” method instead. If you saw the following dialogs but you closed them by mistake, run our installer again so that they show up once more.
This is the initial dialog that documents secure boot. Press the Enter key to continue:
┌────────────────────────┤ Configuring Secure Boot ├───────────────────────┐ │ │ │ Your system has UEFI Secure Boot enabled. │ │ │ │ UEFI Secure Boot requires additional configuration to work with │ │ third-party drivers. │ │ │ │ The system will assist you in configuring UEFI Secure Boot. To permit │ │ the use of third-party drivers, a new Machine-Owner Key (MOK) has been │ │ generated. This key now needs to be enrolled in your system's firmware. │ │ │ │ To ensure that this change is being made by you as an authorized user, │ │ and not by an attacker, you must choose a password now and then confirm │ │ the change after reboot using the same password, in both the "Enroll │ │ MOK" and "Change Secure Boot state" menus that will be presented to you │ │ when this system reboots. │ │ │ │ If you proceed but do not confirm the password upon reboot, Ubuntu will │ │ still be able to boot on your system but any hardware that requires │ │ third-party drivers to work correctly may not be usable. │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────┘
In the next dialog you define a password:
┌────────────────────────┤ Configuring Secure Boot ├───────────────────────┐ │ │ │ │ │ Enter a password for Secure Boot. It will be asked again after a reboot. │ │ │ │ ________________________________________________________________________ │ │ │ │ <Ok> <Cancel> │ │ │ └──────────────────────────────────────────────────────────────────────────┘
Enter the password again:
┌────────────────────────┤ Configuring Secure Boot ├───────────────────────┐ │ │ │ │ │ Enter the same password again to verify you have typed it correctly. │ │ │ │ ________________________________________________________________________ │ │ │ │ <Ok> <Cancel> │ │ │ └──────────────────────────────────────────────────────────────────────────┘
At that point the driver installation finishes with the following error message, as the system doesn’t yet trust the signing key that you just created:
modprobe: ERROR: could not insert '88x2bu': Operation not permitted
Now you’re supposed to reboot your computer. Very early in the boot process, and right before the grub boot manager shows up, you’ll see the following dialog. Select “Enroll MOK” and press Enter:
┌──────────────────────────────────────────────────────────────────────────┐
│ Perform MOK management │
│ │
│ ┌───────────────────────┐ │
│ │ Continue boot │ │
│ │ Enroll MOK │ │
│ │ Enroll key from disk │ │
│ │ Enroll hash from disk │ │
│ └───────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────┘
Select Continue:
┌──────────────────────────────────────────────────────────────────────────┐
│ Enroll MOK │
│ │
│ ┌────────────┐ │
│ │ View key 0 │ │
│ │ Continue │ │
│ └────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────┘
Select Yes:
┌──────────────────────────────────────────────────────────────────────────┐
│ Enroll the keys? │
│ │
│ ┌─────┐ │
│ │ No │ │
│ │ Yes │ │
│ └─────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────┘
Enter the same password as in the initial dialogs:
┌──────────────────────────────────────────────────────────────────────────┐ │ Enroll the keys? │ │ │ │ ┌────────────────────────┐ │ │ │ Password: │ │ │ └────────────────────────┘ │ │ │ └──────────────────────────────────────────────────────────────────────────┘
Select reboot:
┌──────────────────────────────────────────────────────────────────────────┐
│ Perform MOK management │
│ │
│ ┌───────────────────────┐ │
│ │ Reboot │ │
│ │ Enroll key from disk │ │
│ │ Enroll hash from disk │ │
│ └───────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────┘
The procedure is now completed. The shim pre-loader enrolled your self-generated driver signing key into your UEFI settings, so now our driver will be loaded without “Operation not permitted” errors.