Since kernel version 4.4.0-20, Linux includes support for the UEFI (Unified Extensible Firmware Interface) Secure Boot feature.

When Secure Boot is enabled, kernel modules can be loaded only if they are signed with a private key and authenticated with the corresponding public key.

This applies also to NoMachine USB module, which is not signed.

There are two ways to support NoMachine USB forwarding on Linux systems with Secure Boot:

i) Self-sign the NoMachine USB module

or:

ii) Disable Secure Boot.

i) How to self-sign the NoMachine USB module

Instructions provided in this section describe step-by-step how to self-sign nxusb.ko kernel module on UEFI-based systems with Secure Boot enabled.

Prerequisites

Install on the system the following tools necessary for signing the nxusb.ko module:
a) OpenSSL toolkit (package: openssl) – Tool for generating public and private X.509 key pair.
b) sign-file script (package: kernel-devel on RHEL/CentOS/Fedora, linux-headers-$(uname -r), e.g. linux-headers-2.6.32-amd64 on Debian/Ubuntu) – Script for signing kernel modules.
c) mokutil utility (package: mokutil) – Tool for manually enrolling the public key.

All commands used in the following instructions have to be executed in a console.

Sign the nxusb.ko kernel module

1. Generate a Public and Private X.509 Key Pair

openssl req -new -x509 -newkey rsa:2048 -keyout nxusbko_driver.priv -outform DER -out nxusbko_driver.der -nodes -days 36500 -subj "/CN=Signing key for nxusb.ko/"

2. Sign the module

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./nxusbko_driver.priv ./nxusbko_driver.der /usr/NX/bin/drivers/nxusb.ko

3. Manually add the Public Key to the MOK (Machine Owner Key) List

IMPORTANT:
Enrolling a MOK key requires to be physically logged at the UEFI system console on the target system.

Execute:

sudo mokutil --import nxusbko_driver.der

Then reboot the machine.

A request about the pending MOK key enrollment will be issued.

To complete the enrollment from the UEFI console, enter the password you previously associated with this request and confirm the enrollment.

ii) Disable Secure Boot
 

This section provides two alternative methods to disable Secure Boot on UEFI-based systems.

IMPORTANT:
Both ways require to be physically logged at the UEFI system console on the target system.

First method: disabling Secure Boot via UEFI settings

In most systems you can get into UEFI settings using the GRUB menu:

1. Press the ESC button on booting.

2. Get into the GRUB menu and select System Setup.

3. Secure Boot option should be in "Security" or "Boot" section of the UEFI settings panel.

It should be also possible to access the UEFI set-up directly. Usually short keys are Del or F2, to be pressed on boot. Please check the UEFI documentation for your hardware for appropriate instructions.

Second method: disabling Secure Boot via mokutil

Since kernel build 4.4.0-21.37, Secure Boot can be disabled by using the mokutil utility (package mokutil).

1. Execute:

sudo mokutil --disable-validation

2. You will then need to complete the operation from the UEFI console by entering the password you previously associated with this request and after reboot confirm the security settings changing.