1
0
mirror of https://github.com/morrownr/8821cu-20210916.git synced 2024-12-22 06:15:50 +00:00

improve Secure Boot support

This commit is contained in:
morrownr 2023-02-15 00:05:13 -06:00
parent 22f2cb7aa5
commit 4600c193ab
3 changed files with 67 additions and 66 deletions

82
FAQ.md
View File

@ -44,43 +44,46 @@ Answer: This [article](https://null-byte.wonderhowto.com/forum/wifi-hacking-atta
-----
Secure Boot Information
Question: The driver installation script completed successfully and the
driver is installed but does not seem to be working. What is wrong?
Answer: Turn secure boot off to see if that allows the driver to work.
This driver is primarily tested on Debian based distros such as Ubuntu,
Raspberry Pi OS and Kali. In an attempt to make this driver work well on
many Linux distros, other distros, including the Arch based Manjaro is
used for testing. Currently I do not have installations of Fedora or
OpenSUSE available for testing and reply on user reports of success or
failure. I have two test systems with secure boot on so as to test secure
boot. I have not seen any secure boot problems with Debian based systems
and I don't remember problems with Manjaro.
Answer: This question often comes up after installing the driver to a
system that has Secure Boot on. To test if there is a Secure Boot related
problem, turn secure boot off in the system BIOS and reboot. If the driver
works as expected after reboot, them the problem is likely related to
Secure Boot.
dkms is used in the installation script. It helps with a lot of issues that
will come up if a simple manual installation is used. dkms has the
capability to handle the needs of secure boot. dkms was written by and is
maintained by Dell. Dell has been offering some Ubuntu pre-loaded systems
for years so their devs likely test on Ubuntu. I suspect Fedora and
OpenSUSE may be handing their secure boot support differently than Debian
based systems and this is leading to problems. This and the other repos
I have are VERY heavily used and I am sure there are plenty of non-Debian
users that use this driver. Are they all turning off secure boot and not
reporting the problem? I don't know. What I do know is that reports like
this are rare.
What will increase my chances of having a sucessessful installation on a
system that has Secure Boot on?
For the driver to compile and install correctly but not be available
tells me there is likely a key issue. Here is an interesting link
regarding Debian systems and secure boot:
First and foremost, make sure Secure Boot is on when you initially install
your Linux distro. If your Linux distro was installed with Secure Boot off,
the easiest solution is likely to do a clean reinstallation with Secure Boot
on.
Ubuntu is used as the example but other distros should be similar to one
degree or another. During the installation there will be a box on one of
installation pages that will appear if the installation program detects
that Secure Boot is on. You will need to check the box and supply a
password. You can use the same password and you use for the system if you
wish. After the installation and reboot completes, the first screen you
should see is the mokutil screen. Mokutil will guide you through the
process of setting up your system to support Secure Boot
The `install-driver.sh` script currently supports Secure Boot if `dkms`
is installed. Here is a link to the `dkms` website. There is information
regarding Secure Boot in two sections in the `README`.
https://github.com/dell/dkms
Here is a link regarding Debian and Secure Boot:
https://wiki.debian.org/SecureBoot
That document contains a lot of information that can help an investigation
into what the real problem is and I invite you and other Fedora, OpemSUSE
and users of other distros that show this problem to investigate and
present what you know to the devs of your distro via their problem
reporting system. Turning off secure boot is NOT a fix. A real fix needs
to happen.
There is work underway to add Secure Boot suuport for systems that do not
have `dkms` available or if a manual installation is desired.
-----
@ -90,22 +93,23 @@ Answer: I have a repo that is setup to help with monitor mode:
https://github.com/morrownr/Monitor_Mode
Work to improve monitor mode is ongoing with this driver. Your
reports of success or failure are needed. If you have yet to buy an
adapter to use with monitor mode, there are adapters available that are
known to work very well with monitor mode. My recommendation for those
looking to buy an adapter for monitor mode is to buy adapters based on
the following chipsets: mt7921au, mt7612u, mt7610u, rtl8812au, rtl8821cu and
rtl8811au. My specific recommendations for adapters in order of
preference are:
Work to improve monitor mode is ongoing with this driver. Your reports of
success or failure are needed. If you have yet to buy an adapter to use with
monitor mode, there are adapters available that are known to work very well
with monitor mode. My recommendation for those looking to buy an adapter for
monitor mode is to buy adapters based on the following chipsets: mt7921au,
mt7612u, mt7610u, rtl8821cu, rtl8812bu, rtl8812au, and rtl8811au. My specific
recommendations for adapters in order of preference currently are:
ALFA AWUS036ACHM - long range - in-kernel driver
ALFA AWUS036ACM - in-kernel driver
ALFA AWUS036ACH - long range - [driver](https://github.com/morrownr/8812au-20210629)
ALFA AWUS036ACU - in-kernel driver (as of kernel 6.2) and [out-of-kernel driver](https://github.com/morrownr/8821cu)
ALFA AWUS036ACS - [driver](https://github.com/morrownr/8821au-20210708)
ALFA AWUS036ACH - long range - [driver](https://github.com/morrownr/8812au)
ALFA AWUS036ACS - [driver](https://github.com/morrownr/8821au)
To ask questions, go to [USB-WiFi](https://github.com/morrownr/USB-WiFi)
and post in `Discussions` or `Issues`.

View File

@ -2511,6 +2511,13 @@ uninstall:
rm -f $(MODDESTDIR)$(MODULE_NAME).ko
/sbin/depmod -a ${KVER}
sign:
@openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Custom MOK/"
@mokutil --import MOK.der
@$(KSRC)/scripts/sign-file sha256 MOK.priv MOK.der 8821cu.ko
sign-install: all sign install
backup_rtlwifi:
@echo "Making backup rtlwifi drivers"
ifneq (,$(wildcard $(STAGINGMODDIR)/rtl*))

View File

@ -46,9 +46,9 @@ confirm that this is the correct driver for your adapter.
- hcxdumptool
### A FAQ is available in this repo with the name FAQ.md
### A FAQ is available in this repo with the name `FAQ.md`
- Please read the FAQ and below documentation before posting issues.
- Please read the FAQ and this document before posting issues.
### Additional documentation is in the file `8821cu.conf`
@ -147,7 +147,7 @@ sudo dkms status
```
Warning: If you decide to upgrade to a new version of kernel such as
5.15 to 5.19, you need to upgrade the driver you have installed with
5.15 to 6.1, you need to upgrade the driver you have installed with
the newest available before installing the new kernel. Use the
following commands in the driver directory:
@ -185,25 +185,7 @@ It is recommended that you do not delete the driver directory after
installation as the directory contains information and scripts that you
may need in the future.
Secure Boot: The installation script, `install-driver.sh`, will
automatically support secure boot... if your distro supports the method
dkms uses. I regularly test the installation script on systems with
secure boot on. It works seemlessly on modern Ubuntu based distros as
long as secure boot was set up properly during the installation of the
operating system. Some distros, such as the Raspberry Pi OS, do not
support secure boot because the hardware they support does not support
secure boot making it unnecessary to attempt to support it. There are
distros that may require additional steps to sign the driver for secure
boot operation. Fedora is an example. In installation Step 3, note that
`openssl` must be installed as Fedora does not install it by default.
There will also be another step for Fedora after `install-driver.sh`
script is completed. This will be explained in the instructions at the
appropriate time. Overall, secure boot requires that
`openssl` and `mokutil` be installed and that additional steps be
performed if necessary. To test if secure boot is the problem: If you
install this driver and, after a reboot, the driver is not working, you
can go into the BIOS and temporarily turn secure boot off to see if
secure boot is the problem.
Secure Boot: see FAQ.
### Installation Steps
@ -216,7 +198,7 @@ on a best effort basis, based on the steps below.
#### Step 2: Update and upgrade system packages (select the option for the distro you are using)
Note: If your Linux distro does not fall into one of options listed
below, you will need to research how to update and upgrade your system
below, you will need to research how to `update` and `upgrade` your system
packages.
- Option for Debian based distributions such as Ubuntu, Kali, Armbian and Raspberry Pi OS
@ -261,7 +243,17 @@ sudo reboot
Note: If your Linux distro does not fall into one of options listed
below, you will need to research how to properly setup up the development
environment for your system.
environment for your system. General guidance is given the next paragraph.
Development Environment Requirements: (package names may vary by distro)
- Mandatory: `gcc` `make` `bc` `kernel-headers` `build-essential` `git`
- Highly recommended: `dkms` `rfkill` `iw` `ip`
- Mandatory if Secure Boot is active: `openssl` `mokutil`
Note: The below options should take care of the mandatory and highly recommended
requirements but only you know if Secure Boot is active. If Secure Boot is
active on your system, please also install the mandatory packages for Secure Boot.
- Option for Armbian (arm64)
@ -289,10 +281,8 @@ sudo apt install -y build-essential dkms git iw
- Option for Fedora
Note: Installing `openssl` is only necessary for secure boot support.
```
sudo dnf -y install git dkms kernel-devel openssl
sudo dnf -y install git dkms kernel-devel
```
- Option for openSUSE