How to sign kernel modules on Fedora

So you tried to load your modules and got a message that is similar to the following one:

[[email protected] ~]$ sudo modprobe -v acpi_call
insmod /lib/modules/4.10.13-200.fc25.x86_64/extra/acpi_call/acpi_call.ko 
modprobe: ERROR: could not insert 'acpi_call': Required key not available

No worries, there is a fix for that, you have to sign your modules before they can be loaded. This happens because you are using a neat feature called secure boot, which prevents unsigned modules to be loaded.

Step 1: Create your own keys

So in order to sign your modules you need to generate your set of keys and load it into your machine. You can generate your keys using the following command:

openssl req -new -x509 -newkey rsa:2048 \
        -keyout name-of-your-keys.priv \
        -outform DER -out name-of-your-keys.der \ 
        -nodes -days 36500 -subj "/CN=WhateverYouNameIt/"

And to load the newly generated keys:

sudo mokutil --import name-of-your-keys.der

Warning: On the command above you’ll be prompted for a password, put any password you want, just make sure to remember because you’ll need it for the next step.

Now you have to reboot your machine and follow the steps at the screen to enroll your new keys.

Step 2: Sign your modules

To sign your module you have to run the following command:

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 \
     ./name-of-your-keys.priv ./name-of-your-keys.der \
     /lib/modules/4.10.13-200.fc25.x86_64/extra/acpi_call/acpi_call.ko

Just make sure to inform the right path of your keys and your modules. After the signing process you can use modprobe to load your modules as intended.

Enjoy!