Linux, Secure Boot and MOK: Signing My Way to a Quiet Fan

I'm so happy to have you here in the Frazcave. This is my little place on the web, kind of like the Batcave but with more colors! I write here mainly to relax and share what I like, hoping to create a cozy place for anyone who visits.
If you want to chat, my contacts are below.
Fra, skip the story again, just tell me how to make NBFC work with Secure Boot on!
Ok, here’s the TL;DR (Acer + Linux):
- Clone the acpi_ec module and add a git tag so the installer runs
- Install build-essential, the kernel headers and mokutil
- Run the install script: it builds the module, signs it and queues a MOK enrollment
- Reboot, then on the blue MOK screen pick Enroll MOK first, then continue boot
- Tell NBFC to use acpi_ec as embedded controller
Welcome back, cave dwellers!
Last time we left off inside the Acer BIOS, with all the advanced settings finally unlocked but no fan curves in sight. I closed the BIOS, booted into Linux and told myself “no worries, it’s Linux, there’s a tool for everything”.
Spoiler: there is. But Linux had one more boss fight ready for me.
NBFC-Linux: looks easy on paper
Five minutes of googling and I found NBFC-Linux, basically a port of the famous Windows NoteBookFanControl. CLI, simple config files, a long list of supported laptops on GitHub. Exactly what I wanted.
I installed it, picked a config close to my Acer Aspire A515-45, ran the service and…
modprobe: ERROR: could not insert 'ec_sys': Operation not permitted
Oh no. Not the “operation not permitted” guy. We meet again.
What is Secure Boot blocking, exactly?
NBFC needs to talk to the laptop’s embedded controller, the little chip that handles fans, keyboard backlight, battery and a few other things. To do that, it loads a kernel module called ec_sys.
The problem: ec_sys is unsigned. And Secure Boot, by design, refuses to load anything that isn’t signed by a trusted key. End of story.
So I had two options:
- Disable Secure Boot. One toggle in the BIOS, done in 30 seconds.
- Keep Secure Boot on and sign a module myself. A lot more work, but this is also my work laptop and I’d rather not weaken its security just to silence a fan.
Guess which one I picked. (Spoiler: option 2. I am, apparently, allergic to easy solutions at midnight.)
Meet acpi_ec and MOK keys
There’s a kinder cousin of ec_sys called acpi_ec. Same job, exposes the embedded controller to user space, but it ships with an install script that builds the module, signs it, and prepares it for Secure Boot.
The trick is MOK, Machine Owner Key. Secure Boot keeps a list of keys it trusts. MOK lets you add your own key to that list, so any module signed with it gets loaded just fine. You enroll the key once, from the boot menu, and from that moment on Secure Boot is happy.
That’s exactly what we’re going to do.
LUMOS!!!
Lumos is a Harry Potter spell that lights up the tip of your wand. Felt appropriate, given how dark this rabbit hole gets.
Step 1: Clone acpi_ec
git clone https://github.com/MusiKid/acpi_ec.git
cd acpi_ec
Small heads up: the install script looks for git tags. If you cloned a fresh repo and don’t see any, just create one:
git tag v1.0
Otherwise the script complains and refuses to run. Took me a hot minute to figure that out.
Step 2: Install the prerequisites
sudo apt update
sudo apt install build-essential linux-headers-$(uname -r) mokutil
mokutil is what talks to the Secure Boot key store. The rest is just to compile the module.
Step 3: Run the install script
sudo ./install.sh
The script will:
- compile
acpi_ec, - generate a new MOK key pair,
- sign the module with it,
- ask you for a one-time password (anything you can remember for the next five minutes is fine).
Don’t lose that password. You’ll need it on the next reboot.
Step 4: Reboot and actually enroll the key
This is the step where I, very confidently, messed up. Twice.
When you reboot, you get a blue screen called MOK Management. The default option is “Continue boot”, which I, like a tired wizard at 1 AM, happily clicked.
If you do that, the key is not enrolled. The module won’t load. NBFC will keep crying. You will keep googling. Don’t be me.
Instead:
- Select Enroll MOK
- View key (optional, but satisfying)
- Continue
- Yes, enroll this key
- Type the password you set during the install script
- Then reboot
After this, your custom-signed module is trusted forever.*
*Well, until you reinstall the OS or a kernel update is big enough that the module needs to be rebuilt. In that case, just run ./install.sh again.
Step 5: Tell NBFC to use acpi_ec
By default NBFC still tries ec_sys. Open its config:
sudo nano /etc/nbfc/nbfc.json
And add (or change) the embedded controller type:
{
"SelectedConfigId": "Acer Aspire A315-57G-74A3",
"EmbeddedControllerType": "acpi_ec"
}
Don’t worry about SelectedConfigId for now, we’ll obsess over that one in the next post. Just put something so the JSON is valid.
Then:
sudo nbfc restart
nbfc status
If nothing yells at you, congratulations: you now have a Secure-Boot-friendly path to your laptop’s fans.
Did I really need all this?
Honestly? If this were a personal-only laptop, I’d probably have flipped Secure Boot off and called it a night. But this is also where I work, and I want the OS to keep verifying what it loads.
This way I keep Secure Boot on, I trust exactly one extra key (mine), and the only module signed with that key is one tiny piece of code that talks to the embedded controller. Fair trade.
Next time
The fight with Secure Boot is over. The terminal is no longer angry. The fan, on the other hand, is still doing its impression of a small turbine.
In the next (and last) post of the series we finally make it shut up: pick a config, try a couple more when the first one doesn’t quite fit, and end up with a laptop that’s quiet enough to write a blog post in bed without waking up the cat.
Sleep tight, cave dwellers. ;)