HOWTO Install Wireguard on Secure Boot Centos 8

I needed to install wireguard on my laptop for remote connection to my dev workstation. The laptop has secure boot enabled and kernel modules need to be signed to be loaded. These are the steps I took to install and sign the wireguard module on Centos 8.

Relevant links:

Centos 8 does not have wireguard build in, so the module has to be installed.

sudo dnf install epel-release elrepo-release
sudo dnf install kmod-wireguard wireguard-tools

Now sign the installed wireguard.ko (at /lib/modules/$(uname -r)/extra/wireguard/wireguard.ko).

sudo dnf install openssl kernel-devel mokutil keyutils
# cd /root
# cat << EOF > configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = Organization
CN = Organization signing key
emailAddress = E-mail address

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

Edit that file and fill in appropriate fields.

vim configuration_file.config

Generate the keys.

openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \
    -batch -config configuration_file.config -outform DER \
    -out my_signing_key_pub.der \
    -keyout my_signing_key.priv

Use the machine-owner-key util to add the key to the list of keys trusted by the system.

mokutil --import my_signing_key_pub.der

Now reboot the machine. The system will ask you to confirm the new key and enter the key password you chose when generating the key.

Once you’ve rebooted, use the new key to sign the wireguard module.

cd /root
/usr/src/kernels/$(uname -r)/scripts/sign-file sha256 my_signing_key.priv my_signing_key_pub.der /lib/modules/$(uname -r)/extra/wireguard/wireguard.ko

Once signed, you should be able to load the module.

modprobe wireguard
wg show