improve Secure Boot support

FAQ.md

@@ -44,43 +44,46 @@ Answer: This [article](https://null-byte.wonderhowto.com/forum/wifi-hacking-atta
 
 -----
 
+Secure Boot Information
+
 Question: The driver installation script completed successfully and the
 driver is installed but does not seem to be working. What is wrong?
 
-Answer: Turn secure boot off to see if that allows the driver to work.
-This driver is primarily tested on Debian based distros such as Ubuntu,
-Raspberry Pi OS and Kali. In an attempt to make this driver work well on
-many Linux distros, other distros, including the Arch based Manjaro is
-used for testing. Currently I do not have installations of Fedora or
-OpenSUSE available for testing and reply on user reports of success or
-failure. I have two test systems with secure boot on so as to test secure
-boot. I have not seen any secure boot problems with Debian based systems
-and I don't remember problems with Manjaro.
+Answer: This question often comes up after installing the driver to a
+system that has Secure Boot on. To test if there is a Secure Boot related
+problem, turn secure boot off in the system BIOS and reboot.  If the driver
+works as expected after reboot, them the problem is likely related to
+Secure Boot.
 
-dkms is used in the installation script. It helps with a lot of issues that
-will come up if a simple manual installation is used. dkms has the
-capability to handle the needs of secure boot. dkms was written by and is
-maintained by Dell. Dell has been offering some Ubuntu pre-loaded systems
-for years so their devs likely test on Ubuntu. I suspect Fedora and
-OpenSUSE may be handing their secure boot support differently than Debian
-based systems and this is leading to problems. This and the other repos
-I have are VERY heavily used and I am sure there are plenty of non-Debian
-users that use this driver. Are they all turning off secure boot and not
-reporting the problem? I don't know. What I do know is that reports like
-this are rare.
+What will increase my chances of having a sucessessful installation on a
+system that has Secure Boot on?
 
-For the driver to compile and install correctly but not be available
-tells me there is likely a key issue. Here is an interesting link
-regarding Debian systems and secure boot:
+First and foremost, make sure Secure Boot is on when you initially install
+your Linux distro. If your Linux distro was installed with Secure Boot off,
+the easiest solution is likely to do a clean reinstallation with Secure Boot
+on.
+
+Ubuntu is used as the example but other distros should be similar to one
+degree or another. During the installation there will be a box on one of
+installation pages that will appear if the installation program detects
+that Secure Boot is on. You will need to check the box and supply a
+password. You can use the same password and you use for the system if you
+wish. After the installation and reboot completes, the first screen you
+should see is the mokutil screen. Mokutil will guide you through the 
+process of setting up your system to support Secure Boot
+
+The `install-driver.sh` script currently supports Secure Boot if `dkms`
+is installed. Here is a link to the `dkms` website. There is information
+regarding Secure Boot in two sections in the `README`.
+
+https://github.com/dell/dkms
+
+Here is a link regarding Debian and Secure Boot:
 
 https://wiki.debian.org/SecureBoot
 
-That document contains a lot of information that can help an investigation
-into what the real problem is and I invite you and other Fedora, OpemSUSE
-and users of other distros that show this problem to investigate and
-present what you know to the devs of your distro via their problem
-reporting system. Turning off secure boot is NOT a fix. A real fix needs
-to happen.
+There is work underway to add Secure Boot suuport for systems that do not
+have `dkms` available or if a manual installation is desired.
 
 -----
 
@@ -90,22 +93,23 @@ Answer: I have a repo that is setup to help with monitor mode:
 
 https://github.com/morrownr/Monitor_Mode
 
-Work to improve monitor mode is ongoing with this driver. Your
-reports of success or failure are needed. If you have yet to buy an
-adapter to use with monitor mode, there are adapters available that are
-known to work very well with monitor mode. My recommendation for those
-looking to buy an adapter for monitor mode is to buy adapters based on
-the following chipsets: mt7921au, mt7612u, mt7610u, rtl8812au, rtl8821cu and
-rtl8811au. My specific recommendations for adapters in order of
-preference are:
+Work to improve monitor mode is ongoing with this driver. Your reports of
+success or failure are needed. If you have yet to buy an adapter to use with
+monitor mode, there are adapters available that are known to work very well
+with monitor mode. My recommendation for those looking to buy an adapter for
+monitor mode is to buy adapters based on the following chipsets: mt7921au,
+mt7612u, mt7610u, rtl8821cu, rtl8812bu, rtl8812au, and rtl8811au. My specific
+recommendations for adapters in order of preference currently are:
 
 ALFA AWUS036ACHM - long range - in-kernel driver
 
 ALFA AWUS036ACM - in-kernel driver
 
-ALFA AWUS036ACH - long range - [driver](https://github.com/morrownr/8812au-20210629)
+ALFA AWUS036ACU - in-kernel driver (as of kernel 6.2) and [out-of-kernel driver](https://github.com/morrownr/8821cu)
 
-ALFA AWUS036ACS - [driver](https://github.com/morrownr/8821au-20210708)
+ALFA AWUS036ACH - long range - [driver](https://github.com/morrownr/8812au)
+
+ALFA AWUS036ACS - [driver](https://github.com/morrownr/8821au)
 
 To ask questions, go to [USB-WiFi](https://github.com/morrownr/USB-WiFi)
 and post in `Discussions` or `Issues`.

Makefile

@@ -2511,6 +2511,13 @@ uninstall:
 	rm -f $(MODDESTDIR)$(MODULE_NAME).ko
 	/sbin/depmod -a ${KVER}
 
+sign:
+	@openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Custom MOK/"
+	@mokutil --import MOK.der
+	@$(KSRC)/scripts/sign-file sha256 MOK.priv MOK.der 8821cu.ko
+
+sign-install: all sign install
+
 backup_rtlwifi:
 	@echo "Making backup rtlwifi drivers"
 ifneq (,$(wildcard $(STAGINGMODDIR)/rtl*))

README.md

@@ -46,9 +46,9 @@ confirm that this is the correct driver for your adapter.
 
 - hcxdumptool
 
-### A FAQ is available in this repo with the name FAQ.md
+### A FAQ is available in this repo with the name `FAQ.md`
 
-- Please read the FAQ and below documentation before posting issues.
+- Please read the FAQ and this document before posting issues.
 
 ### Additional documentation is in the file `8821cu.conf`
 
@@ -147,7 +147,7 @@ sudo dkms status
 ```
 
 Warning: If you decide to upgrade to a new version of kernel such as
-5.15 to 5.19, you need to upgrade the driver you have installed with
+5.15 to 6.1, you need to upgrade the driver you have installed with
 the newest available before installing the new kernel. Use the
 following commands in the driver directory:
 
@@ -185,25 +185,7 @@ It is recommended that you do not delete the driver directory after
 installation as the directory contains information and scripts that you
 may need in the future.
 
-Secure Boot: The installation script, `install-driver.sh`, will
-automatically support secure boot... if your distro supports the method
-dkms uses. I regularly test the installation script on systems with
-secure boot on. It works seemlessly on modern Ubuntu based distros as
-long as secure boot was set up properly during the installation of the
-operating system. Some distros, such as the Raspberry Pi OS, do not
-support secure boot because the hardware they support does not support
-secure boot making it unnecessary to attempt to support it. There are
-distros that may require additional steps to sign the driver for secure
-boot operation. Fedora is an example. In installation Step 3, note that
-`openssl` must be installed as Fedora does not install it by default.
-There will also be another step for Fedora after `install-driver.sh`
-script is completed. This will be explained in the instructions at the
-appropriate time. Overall, secure boot requires that
-`openssl` and `mokutil` be installed and that additional steps be
-performed if necessary. To test if secure boot is the problem:  If you
-install this driver and, after a reboot, the driver is not working, you
-can go into the BIOS and temporarily turn secure boot off to see if
-secure boot is the problem.
+Secure Boot: see FAQ.
 
 ### Installation Steps
 
@@ -216,7 +198,7 @@ on a best effort basis, based on the steps below.
 #### Step 2: Update and upgrade system packages (select the option for the distro you are using)
 
 Note: If your Linux distro does not fall into one of options listed
-below, you will need to research how to update and upgrade your system
+below, you will need to research how to `update` and `upgrade` your system
 packages.
 
 - Option for Debian based distributions such as Ubuntu, Kali, Armbian and Raspberry Pi OS
@@ -261,7 +243,17 @@ sudo reboot
 
 Note: If your Linux distro does not fall into one of options listed
 below, you will need to research how to properly setup up the development
-environment for your system.
+environment for your system. General guidance is given the next paragraph.
+
+Development Environment Requirements: (package names may vary by distro)
+
+- Mandatory: `gcc` `make` `bc` `kernel-headers` `build-essential` `git`
+- Highly recommended: `dkms` `rfkill` `iw` `ip`
+- Mandatory if Secure Boot is active: `openssl` `mokutil`
+
+Note: The below options should take care of the mandatory and highly recommended
+requirements but only you know if Secure Boot is active. If Secure Boot is
+active on your system, please also install the mandatory packages for Secure Boot.
 
 - Option for Armbian (arm64)
 
@@ -289,10 +281,8 @@ sudo apt install -y build-essential dkms git iw
 
 - Option for Fedora
 
-Note: Installing `openssl` is only necessary for secure boot support.
-
 ```
-sudo dnf -y install git dkms kernel-devel openssl
+sudo dnf -y install git dkms kernel-devel
 ```
 
 - Option for openSUSE