The new servers being built at work use SecureBoot — something that you don’t even notice 99% of the time. But that 1% where you are doing something “strange” like trying to use OpenZFS … well, you’ve got to sign any kernel modules that you need to use. Just installing them doesn’t work — they won’t load.
To sign a kernel module, first you need to create a signing key and use mokutil to import it into the machine owner key store.
cd /root
mkdir signing
cd signing
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Windstream/"
mokutil --import MOK.der
When you run mokutil, you will set a password. This password will be needed to complete importing the key to the machine.
![](https://www.rushworth.us/lisa/wp-content/uploads/2024/05/EnrollMok0-1024x106.png)
Get access to the console — out of band management, vSphere manager, stand in front of the server. Reboot, and there will be a “press any key” screen for ten seconds that begins the import process. Press any key!
![](https://www.rushworth.us/lisa/wp-content/uploads/2024/05/EnrollMok1.png)
Select “Enroll MOK”
![](https://www.rushworth.us/lisa/wp-content/uploads/2024/05/EnrollMok2.png)
View the key and verify it is the right one, then use ‘Continue’ to import it
![](https://www.rushworth.us/lisa/wp-content/uploads/2024/05/EnrollMok3.png)
Enter the password used when you ran mokutil
![](https://www.rushworth.us/lisa/wp-content/uploads/2024/05/EnrollMok4-1024x683.png)
Then reboot
![](https://www.rushworth.us/lisa/wp-content/uploads/2024/05/EnrollMok5.png)
To verify your key has been successfully enrolled:
mokutil --list-enrolled