I decided to get a new laptop in response to the current pandemic situation, with the intent to work from home. WiFi is a nice feature to have on a laptop, unfortunately only drivers for Windows are readily available for the built-in Realtek wireless chip. There is no upstream kernel module available in Fedora 31 (Linux 5.5.10), but there is an out of tree project implementing the driver. Because of this we need a locally signed kernel module if we wish to keep SecureBoot enabled, something I'd prefer to maintain.
With SecureBoot enabled, loading a kernel module will require Dynamic Kernel Module Signing, since we're in lockdown (this isn't easily bypassable anymore) and unsigned module loading is restricted. This guide will explain how to get, install, sign and load the Realtek 8821ce Linux kernel module.
Asus TUF FX505DT (AMD Ryzen 5, Realtek rtl8821ce wireless)
- Fedora 31
- Windows 10 (Dualboot)
Most things in this guide, except git checkout, requires root privileges.
- openssl - Provided by package: openssl
- sign-file - Provided by package: kernel-devel
- mokutil - Provided by package: mokutil
- keyctl - Provided by package: keyutils
- make - Provided by package: make
- dkms - provided by package: dkms
- kernel-devel - provided by package: kernel-devel
- gcc - provided by package: gcc
- git - provided by package: git
Install all of it
$ dnf install dkms gcc git kernel-devel keyutils make mokutil openssl
$ sudo -i
Check if SecureBoot is enabled
$ mokutil --sb-stateSecureBoot enabled
Get the driver
$ git clone https://github.com/tomaspinho/rtl8821ce
Install the driver
$ cd rtl8821ce$ bash ./dkms-install.sh $ make $ make install
Generate an X.509 Key Pair
Use openssl to generate a key pair for kernel module signing in Fedora:
Create a configuration file for key generation
$ cat << EOF > configuration_file.config[ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = Organization CN = Organization signing key emailAddress = E-mail address [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid EOF
Generate the key pair
$ openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config configuration_file.config -outform DER -out public_key.der -keyout private_key.priv
Enrol the public key
Manually add public key to MOK List
$ mokutil --import public_key.der
You will be asked to enter and confirm a password for this MOK enrolment request. I suggest that you do not go ham on special chars, as MokManager.efi defaults to English keyboard layout, separate from the Fedora settings.
Reboot the machine
This should open MokManager.efi before booting into Fedora again. Complete the enrolment, which will include entering the previously set password
Verify that the key is on the system key ring
$ keyctl list %:.builtin_trusted_keys
Sign the kernel module with your private key
Assuming you're in the directory where you generated your keys:
$ /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 private_key.priv public_key.der /lib/modules/$(uname -r)/kernel/drivers/net/wireless/8821ce.ko
(Use the absolute path at least for the .ko file, if you're not in the directory with the keys you will obviously need to specify their path more thoroughly)
Load the now signed Kernel Module
Load the kernel module
$ modprobe -v 8821ce
If you're failing to load the module, it's reasonable to suspect a failure to sign the module. Check the output of dmesg:
$ dmesg[ 5880.506791] Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
Fedora should recognise the wireless card and present you with WiFi settings.
Enjoy a less isolated quarantine!