From 4600c193ab1f843f8121b6a9af0e9ac71dbaf46e Mon Sep 17 00:00:00 2001 From: morrownr Date: Wed, 15 Feb 2023 00:05:13 -0600 Subject: [PATCH] improve Secure Boot support --- FAQ.md | 82 +++++++++++++++++++++++++++++-------------------------- Makefile | 7 +++++ README.md | 44 ++++++++++++----------------- 3 files changed, 67 insertions(+), 66 deletions(-) diff --git a/FAQ.md b/FAQ.md index 99621e2..3002f81 100644 --- a/FAQ.md +++ b/FAQ.md @@ -44,43 +44,46 @@ Answer: This [article](https://null-byte.wonderhowto.com/forum/wifi-hacking-atta ----- +Secure Boot Information + Question: The driver installation script completed successfully and the driver is installed but does not seem to be working. What is wrong? -Answer: Turn secure boot off to see if that allows the driver to work. -This driver is primarily tested on Debian based distros such as Ubuntu, -Raspberry Pi OS and Kali. In an attempt to make this driver work well on -many Linux distros, other distros, including the Arch based Manjaro is -used for testing. Currently I do not have installations of Fedora or -OpenSUSE available for testing and reply on user reports of success or -failure. I have two test systems with secure boot on so as to test secure -boot. I have not seen any secure boot problems with Debian based systems -and I don't remember problems with Manjaro. +Answer: This question often comes up after installing the driver to a +system that has Secure Boot on. To test if there is a Secure Boot related +problem, turn secure boot off in the system BIOS and reboot. If the driver +works as expected after reboot, them the problem is likely related to +Secure Boot. -dkms is used in the installation script. It helps with a lot of issues that -will come up if a simple manual installation is used. dkms has the -capability to handle the needs of secure boot. dkms was written by and is -maintained by Dell. Dell has been offering some Ubuntu pre-loaded systems -for years so their devs likely test on Ubuntu. I suspect Fedora and -OpenSUSE may be handing their secure boot support differently than Debian -based systems and this is leading to problems. This and the other repos -I have are VERY heavily used and I am sure there are plenty of non-Debian -users that use this driver. Are they all turning off secure boot and not -reporting the problem? I don't know. What I do know is that reports like -this are rare. +What will increase my chances of having a sucessessful installation on a +system that has Secure Boot on? -For the driver to compile and install correctly but not be available -tells me there is likely a key issue. Here is an interesting link -regarding Debian systems and secure boot: +First and foremost, make sure Secure Boot is on when you initially install +your Linux distro. If your Linux distro was installed with Secure Boot off, +the easiest solution is likely to do a clean reinstallation with Secure Boot +on. + +Ubuntu is used as the example but other distros should be similar to one +degree or another. During the installation there will be a box on one of +installation pages that will appear if the installation program detects +that Secure Boot is on. You will need to check the box and supply a +password. You can use the same password and you use for the system if you +wish. After the installation and reboot completes, the first screen you +should see is the mokutil screen. Mokutil will guide you through the +process of setting up your system to support Secure Boot + +The `install-driver.sh` script currently supports Secure Boot if `dkms` +is installed. Here is a link to the `dkms` website. There is information +regarding Secure Boot in two sections in the `README`. + +https://github.com/dell/dkms + +Here is a link regarding Debian and Secure Boot: https://wiki.debian.org/SecureBoot -That document contains a lot of information that can help an investigation -into what the real problem is and I invite you and other Fedora, OpemSUSE -and users of other distros that show this problem to investigate and -present what you know to the devs of your distro via their problem -reporting system. Turning off secure boot is NOT a fix. A real fix needs -to happen. +There is work underway to add Secure Boot suuport for systems that do not +have `dkms` available or if a manual installation is desired. ----- @@ -90,22 +93,23 @@ Answer: I have a repo that is setup to help with monitor mode: https://github.com/morrownr/Monitor_Mode -Work to improve monitor mode is ongoing with this driver. Your -reports of success or failure are needed. If you have yet to buy an -adapter to use with monitor mode, there are adapters available that are -known to work very well with monitor mode. My recommendation for those -looking to buy an adapter for monitor mode is to buy adapters based on -the following chipsets: mt7921au, mt7612u, mt7610u, rtl8812au, rtl8821cu and -rtl8811au. My specific recommendations for adapters in order of -preference are: +Work to improve monitor mode is ongoing with this driver. Your reports of +success or failure are needed. If you have yet to buy an adapter to use with +monitor mode, there are adapters available that are known to work very well +with monitor mode. My recommendation for those looking to buy an adapter for +monitor mode is to buy adapters based on the following chipsets: mt7921au, +mt7612u, mt7610u, rtl8821cu, rtl8812bu, rtl8812au, and rtl8811au. My specific +recommendations for adapters in order of preference currently are: ALFA AWUS036ACHM - long range - in-kernel driver ALFA AWUS036ACM - in-kernel driver -ALFA AWUS036ACH - long range - [driver](https://github.com/morrownr/8812au-20210629) +ALFA AWUS036ACU - in-kernel driver (as of kernel 6.2) and [out-of-kernel driver](https://github.com/morrownr/8821cu) -ALFA AWUS036ACS - [driver](https://github.com/morrownr/8821au-20210708) +ALFA AWUS036ACH - long range - [driver](https://github.com/morrownr/8812au) + +ALFA AWUS036ACS - [driver](https://github.com/morrownr/8821au) To ask questions, go to [USB-WiFi](https://github.com/morrownr/USB-WiFi) and post in `Discussions` or `Issues`. diff --git a/Makefile b/Makefile index 7161e66..c7a07a1 100644 --- a/Makefile +++ b/Makefile @@ -2511,6 +2511,13 @@ uninstall: rm -f $(MODDESTDIR)$(MODULE_NAME).ko /sbin/depmod -a ${KVER} +sign: + @openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Custom MOK/" + @mokutil --import MOK.der + @$(KSRC)/scripts/sign-file sha256 MOK.priv MOK.der 8821cu.ko + +sign-install: all sign install + backup_rtlwifi: @echo "Making backup rtlwifi drivers" ifneq (,$(wildcard $(STAGINGMODDIR)/rtl*)) diff --git a/README.md b/README.md index 2d40db8..fe0a4bf 100644 --- a/README.md +++ b/README.md @@ -46,9 +46,9 @@ confirm that this is the correct driver for your adapter. - hcxdumptool -### A FAQ is available in this repo with the name FAQ.md +### A FAQ is available in this repo with the name `FAQ.md` -- Please read the FAQ and below documentation before posting issues. +- Please read the FAQ and this document before posting issues. ### Additional documentation is in the file `8821cu.conf` @@ -147,7 +147,7 @@ sudo dkms status ``` Warning: If you decide to upgrade to a new version of kernel such as -5.15 to 5.19, you need to upgrade the driver you have installed with +5.15 to 6.1, you need to upgrade the driver you have installed with the newest available before installing the new kernel. Use the following commands in the driver directory: @@ -185,25 +185,7 @@ It is recommended that you do not delete the driver directory after installation as the directory contains information and scripts that you may need in the future. -Secure Boot: The installation script, `install-driver.sh`, will -automatically support secure boot... if your distro supports the method -dkms uses. I regularly test the installation script on systems with -secure boot on. It works seemlessly on modern Ubuntu based distros as -long as secure boot was set up properly during the installation of the -operating system. Some distros, such as the Raspberry Pi OS, do not -support secure boot because the hardware they support does not support -secure boot making it unnecessary to attempt to support it. There are -distros that may require additional steps to sign the driver for secure -boot operation. Fedora is an example. In installation Step 3, note that -`openssl` must be installed as Fedora does not install it by default. -There will also be another step for Fedora after `install-driver.sh` -script is completed. This will be explained in the instructions at the -appropriate time. Overall, secure boot requires that -`openssl` and `mokutil` be installed and that additional steps be -performed if necessary. To test if secure boot is the problem: If you -install this driver and, after a reboot, the driver is not working, you -can go into the BIOS and temporarily turn secure boot off to see if -secure boot is the problem. +Secure Boot: see FAQ. ### Installation Steps @@ -216,7 +198,7 @@ on a best effort basis, based on the steps below. #### Step 2: Update and upgrade system packages (select the option for the distro you are using) Note: If your Linux distro does not fall into one of options listed -below, you will need to research how to update and upgrade your system +below, you will need to research how to `update` and `upgrade` your system packages. - Option for Debian based distributions such as Ubuntu, Kali, Armbian and Raspberry Pi OS @@ -261,7 +243,17 @@ sudo reboot Note: If your Linux distro does not fall into one of options listed below, you will need to research how to properly setup up the development -environment for your system. +environment for your system. General guidance is given the next paragraph. + +Development Environment Requirements: (package names may vary by distro) + +- Mandatory: `gcc` `make` `bc` `kernel-headers` `build-essential` `git` +- Highly recommended: `dkms` `rfkill` `iw` `ip` +- Mandatory if Secure Boot is active: `openssl` `mokutil` + +Note: The below options should take care of the mandatory and highly recommended +requirements but only you know if Secure Boot is active. If Secure Boot is +active on your system, please also install the mandatory packages for Secure Boot. - Option for Armbian (arm64) @@ -289,10 +281,8 @@ sudo apt install -y build-essential dkms git iw - Option for Fedora -Note: Installing `openssl` is only necessary for secure boot support. - ``` -sudo dnf -y install git dkms kernel-devel openssl +sudo dnf -y install git dkms kernel-devel ``` - Option for openSUSE