Configuring Secure Boot

This guide provides instructions for configuring Secure Boot when using packages with signed prebuilt kernel modules (KMD prebuilds). Before starting the configuration, check if Secure Boot is enabled on your system by running the following command:

mokutil --sb-state

This command returns the Secure Boot status. If Secure Boot is enabled, follow this procedure to ensure that signed kernel modules from prebuilt kernel module packages can be loaded successfully.

Adding the Distinguished Encoding Rules (DER) certificate to the system

Important update: signing key renewal

The Secure Boot signing key is rotated annually to ensure only trusted kernel-level software can run during the boot process to enhance security and reliability. Beginning with release 2523.59, packages are signed with a new key. To use the latest release with the latest key while maintaining the secure boot functionality, you need to download and install a new DER certificate. Previous releases remain signed with the key that was current at the time of their release. Therefore, if you are using an older release from 2024 or 2025, the old key is still required and remains valid. In that case, use the 2024 or 2025 key, depending on the release you are using.

Follow this procedure to add the DER certificate to the Machine Owner Key (MOK) list using mokutil.

1. Download the proper DER certificate file, depending on the release you are using.

   2523.59 and later

   wget https://repositories.intel.com/gpu/intel-kmod.der
   

   Releases from 2025

   wget https://repositories.intel.com/gpu/intel-kmod-2025.der
   

   Releases from 2024

   wget https://repositories.intel.com/gpu/intel-kmod-2024.der
   

2. Add the certificate to the MOK list.

   sudo mokutil --import intel-kmod.der
   

3. When prompted, create a password for the MOK enrollment request. This password will be required to confirm the changes in the MOK list during the next boot.

4. Reboot your system. During the boot process, you will be presented with a screen for MOK management.

5. Select Enroll MOK and follow the prompts to enroll the certificate.

6. Enter the password you created earlier when prompted.

Loading the module and verifying the operation

1. After enrolling the key and restarting your system, load the kernel module, if it is not already loaded.

   sudo modprobe i915
   

2. Verify that the module is loaded.

   lsmod | grep i915
   

   If you see output related to the i915 module, it indicates that the module has been loaded and is ready for use with Secure Boot.