# Configuring Secure Boot

This guide provides instructions for configuring Secure Boot when using packages with signed prebuilt kernel modules (KMD prebuilds). Before starting the configuration, check if Secure Boot is enabled on your system by running the following command:

``` bash
mokutil --sb-state
```

This command returns the Secure Boot status. If Secure Boot is enabled, follow this procedure to ensure that signed kernel modules from prebuilt kernel module packages can be loaded successfully.

## Adding the Distinguished Encoding Rules (DER) certificate to the system

```{admonition} Important update: signing key renewal
As part of our latest [rolling](../releases/rolling-release-notes.md) and [LTS](../releases/LTS-release-notes.md) releases, we have updated our signing key to enhance security and ensure continued reliability. This key ensures that only trusted kernel-level software can run during the boot process. The new key, valid for one year, will be used to sign all new releases. To ensure compatibility with these updates while maintaining the secure boot functionality, you need to download and install the new DER certificate. If you are using an older release, the [old key](https://repositories.intel.com/gpu/intel-kmod-2024.der) will still be required and remains valid until its expiration date. 

```

Follow this procedure to add the DER certificate to the Machine Owner Key (MOK) list using mokutil.

1. Download the proper DER certificate file, depending on the release you are using.

    ::::{tab-set}
    :sync-group: release

    :::{tab-item} The latest rolling and LTS release
    :sync: latest-releases

    ```bash
    wget https://repositories.intel.com/gpu/intel-kmod.der
    ```

    :::
    :::{tab-item} Previous releases
    :sync: previous-releases

    ```bash
    wget https://repositories.intel.com/gpu/intel-kmod-2024.der
    ```
    :::
    ::::

2. Add the certificate to the MOK list.

    ```bash
    sudo mokutil --import intel-kmod.der
    ```

3. When prompted, create a password for the MOK enrollment request. This password will be required to confirm the changes in the MOK list during the next boot.

4. Reboot your system. During the boot process, you will be presented with a screen for MOK management.

5. Select **Enroll MOK** and follow the prompts to enroll the certificate. 

6. Enter the password you created earlier when prompted.

## Loading the module and verifying the operation

1. After enrolling the key and restarting your system, load the kernel module, if it is not already loaded.

    ```bash
    sudo modprobe i915
    ```

2. Verify that the module is loaded.

    ```bash
    lsmod | grep i915
    ```

    If you see output related to the i915 module, it indicates that the module has been loaded and is ready for use with Secure Boot.