Loading the Metis driver in a system with Secure Boot

If the host has Secure Boot enabled, a kernel module must be signed before the kernel will load it, and the signing key must be enrolled with the system's UEFI hardware.

Check whether Secure Boot is enabled

# Install mokutil if missing
sudo apt install mokutil

# Check if Secure Boot is enabled
sudo mokutil --sb-state

If Secure Boot is enabled but the Metis kernel module has not been signed, you will see this error when loading the module:

$ sudo modprobe metis
modprobe: ERROR: could not insert 'metis': Key was rejected by service

If Secure Boot is already set up

On an Ubuntu 22.04 system that already has Secure Boot enabled, a signing key (a Machine Owner Key, or MOK) is usually already generated and enrolled with the UEFI hardware. In that case, any driver built with DKMS is signed with that key automatically, so nothing needs to be done.

If the module loads (check with lsmod | grep metis) or sudo modprobe metis succeeds, you are done. Otherwise, proceed as follows.

1. Create a signing key-pair (if none exists)

First, check whether a MOK key already exists:

# Check whether there is a signing key on the machine
file /var/lib/shim-signed/mok/MOK.der

If not, generate a new one and copy it into place:

# Install openssl if not already present
sudo apt install openssl

# Create a directory for your keys if it doesn't exist
mkdir -p /tmp/module-signing
cd /tmp/module-signing

# Generate a private key
openssl genrsa -out MOK.priv 4096

# Generate a public key from the private key
openssl rsa -in MOK.priv -pubout -out MOK.pub

# Create an X.509 certificate for signing
openssl req -new -x509 -key MOK.priv -out MOK.x509 -days 3650

# Convert the X.509 certificate to DER format for mokutil
openssl x509 -in MOK.x509 -outform DER -out MOK.der

# Copy the files to the system directory
sudo mkdir -p /var/lib/shim-signed/mok
sudo chown root:root MOK.*
sudo chmod 644 MOK.der
sudo chmod 644 MOK.x509
sudo chmod 600 MOK.priv
sudo mv MOK.der /var/lib/shim-signed/mok/
sudo mv MOK.x509 /var/lib/shim-signed/mok/
sudo mv MOK.priv /var/lib/shim-signed/mok/

Read the certificate in human-readable form:

openssl x509 -in /var/lib/shim-signed/mok/MOK.der -inform DER -text -noout

Take note of the Serial Number of the key in the output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            23:23:71:8f:1f:cc:78:71:e7:fb:b7:f9:c7:66:09:9f:2e:1f:42:de
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = myhost Secure Boot Module Signature key

2. Register the signing key with UEFI

For Secure Boot to accept the signed module, the signing key must be added to the Machine Owner Key (MOK) database. First, check whether the key has already been enrolled:

sudo mokutil --list-enrolled

If a key with the serial number from the previous step appears, it is already registered with UEFI — skip to the next step. Otherwise, enroll it:

# Import your key to the MOK list
sudo mokutil --import /var/lib/shim-signed/mok/MOK.der

Enrolling the key on reboot

You will be prompted to create a one-time password. After running this command, reboot. During boot, the MOK management utility appears and asks you to enroll the key using the password you created.

3. Sign the kernel module with the enrolled key

Check whether the kernel module binary is already signed with the same key:

modinfo metis | grep sig_key

If the signing key has the serial number from the previous steps, the module is signed correctly — skip to the next step. Otherwise, use DKMS to build the module with the key.

Requires the metis-dkms package

This step assumes the metis-dkms package, which includes the driver source code, is installed. If it is not, refer to the product documentation on how to install it.

# Get the version number of the installed module
export METIS_MODULE_VERSION=$(modinfo metis | grep "^version" | awk '{print $2}')

# Remove the existing module binary
sudo dkms remove -m metis -v $METIS_MODULE_VERSION
sudo dkms build -m metis -v $METIS_MODULE_VERSION
sudo dkms install -m metis -v $METIS_MODULE_VERSION

DKMS re-signs automatically

With DKMS, the module is signed automatically every time it is rebuilt (for example, when you upgrade the running kernel) — no further action is required.

Sign a module built without DKMS

If the module was built without DKMS, sign it as follows:

# You may need to update /usr/lib/modules/$(uname -r)/updates/ with the path
# where the module has been installed for the running kernel
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.x509 /usr/lib/modules/$(uname -r)/updates/metis.ko

4. Load the kernel module

Confirm the module loads successfully:

# Load the module
sudo modprobe metis

# Check that the 'metis' device class has been created in the kernel
file /sys/class/metis

# Check the kernel log for messages
sudo dmesg | tail -n 50

Next steps

Once the module is loaded, continue with installing the rest of the Voyager SDK, if you have not already.

Check whether Secure Boot is enabled​

1. Create a signing key-pair (if none exists)​

2. Register the signing key with UEFI​

3. Sign the kernel module with the enrolled key​

Sign a module built without DKMS​

4. Load the kernel module​

Next steps​