Loading gowin_pcie_demo requires signed driver for UEFI Secure Boot

[kevpatt]

Problem:

If your PC has UEFI Secure Boot enabled, you must cryptographically sign the gowin_demo.ko driver and enroll the MOK key.

Solution:

You may temporarily disable Secure Boot in your BIOS Setup, or perform the following steps:

First, create and import a MOK keypair for driver signing. These steps only need to be done once; they do not need to be repeated for each build:

1. Generate a keypair for signing. You may store the keypair anywhere you like (e.g. in your home directory, or in the project directory, etc.).
   openssl req -new -x509 -newkey rsa:2048 -keyout ~/MOK.priv -outform DER -out ~/MOK.der -nodes -days 3650 -subj "/CN=gowin_pcie_demo/"
2. Import the key for Secure Boot MOK enrollment (you will be prompted to create a password, to be used in step 5):
   # mokutil --import ~/MOK.der
3. Reboot → a blue screen (MOK manager) will appear.
4. Choose "Enroll MOK".
5. Use the password you set in step 2.
6. Reboot again.

Sign your driver with the MOK key. Do this each time you build the gowin_pcie_demo kernel module (gowin_demo.ko):

1. Build the gowin_pcie_demo project according to the documentation.
2. Change directory to the location of gowin_demo.ko (built in TangMega-138KPro-example/pcie_dma_demo/gowin_pcie_demo/gowin_pcie_demo/driver).
3. Sign the kernel module:
   # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/MOK.priv ~/MOK.der gowin_demo.ko
4. Attempt to load the kernel module:
   # insmod gowin_demo.ko