DAMX Suite - Secure Boot Support Implementation

[scorpionTaj]

Overview

This update adds comprehensive Secure Boot support for the Linuwu-Sense kernel driver, with special compatibility for CachyOS and LLVM-compiled kernels. The installation process now intelligently detects the kernel compiler and builds the driver with the appropriate toolchain.

Changes Summary

📁 File: Linuwu-Sense/build_sign_install.sh

New Features:

1. LLVM Kernel Detection Function (is_llvm_kernel())

   • Automatically detects if the kernel was compiled with LLVM/Clang
   • Checks multiple sources: /proc/version, kernel config files, system info
   • Multi-method detection for reliability across distributions

2. Smart Compiler Selection

   • Uses Clang (LLVM=1 CC=clang) for LLVM-compiled kernels
   • Falls back to GCC for standard kernels
   • Prevents compiler mismatch errors on CachyOS and other LLVM-based systems

3. Additional Detection Method (check_kernel_compiler())

   • Secondary validation for kernel compiler type
   • Ensures correct compiler selection

Key Improvements:

• Before: Script would fail on CachyOS with GCC compiler mismatch errors
• After: Automatically detects and uses Clang for LLVM kernels, eliminating build failures
• Compatible with all distributions: Debian, Ubuntu, Fedora, RHEL, Arch, Manjaro, CachyOS
• Proper Secure Boot signing and driver installation

---

📁 File: local-setup.sh

New Functions:

1. install_drivers_with_secureboot()
   • Executes the enhanced build_sign_install.sh script
   • Handles Secure Boot driver building and signing automatically
   • Provides user feedback and error handling

Menu Updates:

Expanded from 5 to 7 installation options:

Option	Description
1	Install DAMX Suite (complete)
2	Install DAMX Suite (without drivers)
3	Install DAMX Suite (complete with Secure Boot support) ✨ NEW
4	Install drivers only (with Secure Boot support) ✨ NEW
5	Uninstall DAMX Suite
6	Reinstall/Update DAMX Suite (with Secure Boot option prompt) ✨ UPDATED
7	Check service status

Updated Functions:

1. perform_install()

   • Added use_secureboot parameter (3rd parameter)
   • Conditionally calls either install_drivers() or install_drivers_with_secureboot()
   • Maintains full suite installation with daemon + GUI when requested

2. main_menu()

   • New option 3: Complete suite with Secure Boot drivers
   • New option 4: Drivers-only with Secure Boot (for users who want just the kernel module)
   • Updated option 6 (Reinstall/Update): Now prompts user to choose between Secure Boot and regular installation
   • Improved menu layout and user guidance

---

📁 File: MapNitroButton.sh ✨ NEW

Purpose:

Enables the physical Nitro button on Acer laptops to launch the DAMX GUI application. Provides seamless hardware integration for quick access to system controls.

Key Features:

1. Device Detection

   • Automatically detects Acer input devices (Wireless Radio Control, WMI hotkeys, AT keyboard)
   • Finds the correct /dev/input/event* device dynamically
   • Works across different Acer laptop models

2. Permission Management

   • Automatically detects permission issues
   • Adds user to input group for device access
   • Creates and applies udev rules for persistent permissions
   • Uses sg command for immediate group activation without logout

3. Smart Application Launching

   • Listens for Nitro button presses (key code 425)
   • Prevents duplicate instances (checks if DAMX is already running)
   • Non-blocking launch using nohup
   • Includes 2-second delay after launch for stability

4. Error Handling

   • Detects missing devices and provides helpful error messages
   • Handles permission issues gracefully
   • Suggests reboot if necessary
   • Runs in background loop for continuous monitoring

Usage:

# Run the script
./MapNitroButton.sh

# The script will:
# 1. Detect the Nitro key device
# 2. Handle permissions automatically
# 3. Listen for Nitro button presses
# 4. Launch DAMX when button is pressed

Technical Details:

Supported Input Devices:

• Acer Wireless Radio Control
• Acer WMI hotkeys
• AT Translated Set 2 keyboard

Key Code Monitored: 425 (Nitro/Gaming button)

Launch Command: DAMX (uses the command shortcut created during installation)

Running Processes Check:

# Checks for either:
pgrep -x "DAMX"              # Process name match
pgrep -f "DivAcerManagerMax"  # Full binary name match

Integration with DAMX Suite:

• Works seamlessly with installed DAMX GUI
• Uses the DAMX command shortcut created during setup
• Depends on proper installation via local-setup.sh

---

Distribution Support

Fully Supported:

• ✅ Debian/Ubuntu - Traditional GCC-compiled kernels
• ✅ Fedora/RHEL - Traditional GCC-compiled kernels
• ✅ Arch/Manjaro - Traditional GCC-compiled kernels
• ✅ CachyOS - LLVM-compiled kernels (auto-detected)
• ✅ Any distribution with LLVM-compiled kernel (auto-detected)

How It Works:

1. Script detects kernel compiler automatically
2. For LLVM kernels: Uses LLVM=1 CC=clang LLVM=1 flags
3. For GCC kernels: Uses standard make without special flags
4. Automatically signs driver with Secure Boot keys (if available)

---

Usage Examples

Installation with Secure Boot Support (Complete Suite):

sudo ./local-setup.sh
# Select option 3: Install DAMX Suite (complete with Secure Boot support)

Installation with Secure Boot Support (Drivers Only):

sudo ./local-setup.sh
# Select option 4: Install drivers only (with Secure Boot support)

Update with Secure Boot Option:

sudo ./local-setup.sh
# Select option 6: Reinstall/Update DAMX Suite
# When prompted, choose 'y' for Secure Boot support

---

Technical Details

Kernel Compiler Detection:

The is_llvm_kernel() function checks:

1. Method 1: modinfo kernel version magic string
2. Method 2: /proc/version (primary method for CachyOS)
3. Method 3: Kernel config file (/boot/config-* or /proc/config.gz)
4. Method 4: System kernel config interface

Build Flags Used:

For LLVM Kernels:

make clean LLVM=1 CC=clang
make LLVM=1 CC=clang
make install LLVM=1 CC=clang

For GCC Kernels:

make clean
make
make install

---

Testing & Validation

Tested On:

• ✅ CachyOS Linux with Linux 6.18.7-2-cachyos (Clang 21.1.6)
• ✅ Kernel compiler auto-detection working correctly
• ✅ Driver builds successfully with Clang on LLVM kernels
• ✅ Secure Boot signing applied automatically
• ✅ Module loads and functions correctly after installation

Build Output Example (CachyOS):

🔍 Detected Distribution: CachyOS Linux (arch family)
🔨 Using compiler: clang
🧹 Cleaning previous builds...
🔨 Building driver...
   Detected LLVM-compiled kernel, using Clang...
CC [M]  src/linuwu_sense.o
LD [M]  src/linuwu_sense.ko
BTF [M] src/linuwu_sense.ko
🔐 Signing driver file: ./src/linuwu_sense.ko...
✅ SUCCESS: Driver installed and SIGNED.

---

Real-World Usage - Personal Testing on CachyOS + KDE

System Configuration:

• OS: CachyOS Linux (Arch-based)
• Kernel: 6.18.7-2-cachyos (LLVM/Clang compiled)
• Desktop Environment: KDE Plasma
• Acer Laptop Model: With Nitro button support

Daily Usage Workflow:

1. Installation (One-time setup)

cd /path/to/DAMX-0.9.1
sudo ./local-setup.sh
# Select option 3: Install DAMX Suite (complete with Secure Boot support)
# Script auto-detects LLVM kernel and builds with Clang
# Driver signed automatically ✅

2. KDE Startup Script Integration

Setup is simple and straightforward:

1. Run the script once:

./MapNitroButton.sh

2. Add to KDE Autostart:
   • Open KDE System Settings
   • Go to Startup and Shutdown → Autostart
   • Click Add Script
   • Select /path/to/MapNitroButton.sh
   • Done! ✅

The script will now launch automatically on every KDE login and listen for the Nitro button.

3. Daily Usage

• Press Nitro Button → DAMX GUI launches instantly
• DAMX GUI → Control brightness, fan speed, display modes
• Daemon → Runs silently in background, monitoring system

Screenshots:

• KDE System Tray with DAMX running
• DAMX GUI showing Acer control options
• System Monitor showing linuwu_sense module loaded
• Terminal output from successful build on CachyOS

Performance Observations:

• ✅ No compatibility issues with KDE Plasma
• ✅ DAMX daemon consumes minimal resources
• ✅ Nitro button responds instantly
• ✅ LLVM-compiled driver performs optimally on CachyOS
• ✅ Secure Boot integration works seamlessly
• ✅ No kernel warnings or errors

---

Breaking Changes

None. All existing functionality is preserved and enhanced.

---

Backward Compatibility

✅ Fully backward compatible with existing installations and scripts.

---

[scorpionTaj]

Refactored the build process to support both LLVM and standard kernels, incorporating updates from #86 and #141.

[Copilot]

Pull request overview

This PR adds comprehensive Secure Boot support for DAMX Suite's kernel driver installation, with intelligent compiler detection for LLVM/Clang-compiled kernels (particularly CachyOS). It also introduces a new utility script for mapping the physical Nitro button on Acer laptops to launch the DAMX GUI.

Changes:

• Added build_sign_install.sh script with multi-distribution support for building, signing, and installing drivers with Secure Boot
• Extended local-setup.sh with new Secure Boot installation options (menu items 3 and 4) and updated the reinstall option to prompt for Secure Boot preference
• Enhanced MapNitroButton.sh with improved device detection, automatic permission management, and duplicate instance prevention

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 17 comments.

File	Description
scripts/local-setup.sh	Added install_drivers_with_secureboot() function, updated menu with 2 new Secure Boot options, modified perform_install() to accept secure boot parameter
scripts/build_sign_install.sh	New comprehensive script for detecting distributions, LLVM kernels, building drivers with appropriate compiler, signing with Secure Boot keys, and installation
scripts/MapNitroButton.sh	Refactored device detection logic, improved permission handling with automatic group management and udev rules, added process checking to prevent duplicate launches

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The install_dependencies function is called again on line 210 after LLVM kernel detection, which could result in unnecessary dependency installation checks. This call is redundant since dependencies were already installed on line 145. Consider removing this duplicate call or adding a guard to prevent reinstallation.

Suggested change

install_dependencies # Ensure clang is installed

[Copilot]

The function returns 0 (success) even when signing fails or when secure boot keys are not found (lines 240, 248, 254). This masks signing failures and could lead to the script reporting success when the driver is not actually signed. Consider returning a non-zero exit code when signing fails, or at minimum, set a variable to track the signing status so callers can determine if signing actually succeeded.

Suggested change

	sign_driver() {
	# All distros use the kernel's sign-file script for module signing
	if [[ -f "$SIGN_TOOL" ]]; then
	if [[ -z "$KEY" || -z "$CERT" ]]; then
	echo "⚠️ Warning: Secure Boot keys not found, skipping signature..."
	return 0
	fi
	echo " Using sign-file script (kernel native)..."
	if "$SIGN_TOOL" sha256 "$KEY" "$CERT" "$DRIVER_FILE" 2>&1; then
	return 0
	else
	echo "⚠️ Warning: Signing attempt had issues, proceeding anyway..."
	return 0
	fi
	else
	echo "⚠️ Warning: sign-file tool not found at $SIGN_TOOL"
	echo " This usually means kernel headers may not be properly installed."
	echo " Proceeding without signing..."
	return 0
	fi
	}
	# Call the signing function
	sign_driver
	echo "✅ Driver preparation complete."
	sign_driver
	SIGN_DRIVER_STATUS=0
	sign_driver() {
	# All distros use the kernel's sign-file script for module signing
	if [[ -f "$SIGN_TOOL" ]]; then
	if [[ -z "$KEY" || -z "$CERT" ]]; then
	echo "⚠️ Warning: Secure Boot keys not found, skipping signature..."
	SIGN_DRIVER_STATUS=2
	return 2
	fi
	echo " Using sign-file script (kernel native)..."
	if "$SIGN_TOOL" sha256 "$KEY" "$CERT" "$DRIVER_FILE" 2>&1; then
	SIGN_DRIVER_STATUS=0
	return 0
	else
	echo "⚠️ Warning: Signing attempt had issues, proceeding anyway..."
	SIGN_DRIVER_STATUS=1
	return 1
	fi
	else
	echo "⚠️ Warning: sign-file tool not found at $SIGN_TOOL"
	echo " This usually means kernel headers may not be properly installed."
	echo " Proceeding without signing..."
	SIGN_DRIVER_STATUS=3
	return 3
	fi
	}
	# Call the signing function and report status
	sign_driver
	case "$SIGN_DRIVER_STATUS" in
	0)
	echo "✅ Driver preparation complete and signed."
	;;
	1)
	echo "⚠️ WARNING: Driver preparation completed but signing failed."
	;;
	2|3)
	echo "⚠️ WARNING: Driver preparation completed without signing."
	;;
	esac

[Copilot]

The udev rule on line 42 is written to the same file path on line 56, which could create a race condition if multiple instances of this script run simultaneously or if the first write hasn't completed when the second check occurs. Consider adding a lock mechanism or checking if the rule already exists before attempting to write it again.

[Copilot]

The kernel_version variable is declared but never used after line 150. It was likely intended to be used in the kernel config path construction on line 164, but that line uses $(uname -r) directly. Consider either removing the unused variable or using it consistently throughout the function for better maintainability.

[Copilot]

The modinfo command on line 280 is passed the path stored in $INSTALLED_PATH, but if modinfo -n on line 276 fails or returns an empty string, this will result in modinfo "" being executed, which will fail with an unclear error. Add a check to verify $INSTALLED_PATH is not empty before using it, or use modinfo "$DRIVER_NAME" directly instead.

Suggested change

	echo ""
	echo "============================================"
	if modinfo "$INSTALLED_PATH" 2>/dev/null | grep -q "signer"; then
	if [ -n "$INSTALLED_PATH" ]; then
	MODINFO_TARGET="$INSTALLED_PATH"
	else
	MODINFO_TARGET="$DRIVER_NAME"
	fi
	echo ""
	echo "============================================"
	if modinfo "$MODINFO_TARGET" 2>/dev/null | grep -q "signer"; then

[Copilot]

The error handling when build_sign_install.sh is not found (lines 218-223) returns to the parent directory before returning, but the same pattern should be applied if the directory doesn't exist (lines 208-213). Currently, if the directory doesn't exist, the function returns without attempting to change back to the original directory, which could leave the shell in an undefined state. Ensure consistent directory handling across all error paths.

[Copilot]

The hardcoded 2-second sleep on line 80 after launching DAMX is arbitrary and could be either too long (wasting time) or too short (if DAMX takes longer to start on slower systems). Consider removing this sleep entirely, or make it configurable. The sleep appears to be intended to prevent immediate re-detection of the key press, but the process check on line 75 should be sufficient for this purpose.

[Copilot]

The instructions on lines 298-299 reference './setup.sh' and 'Option 2 (Install without Drivers)', but based on the local-setup.sh changes, the correct script name is 'local-setup.sh' and Option 2 is now "Install DAMX Suite (without drivers)". This creates confusion for users who will be looking for a non-existent script. Update the instructions to reference the correct script name.

Suggested change

	echo "2. After rebooting, go back to the main folder and run './setup.sh'"
	echo " Choose Option 2 (Install without Drivers)."
	else
	echo "2. After rebooting, enroll the Secure Boot key if prompted."
	echo "3. Then run './setup.sh' and choose Option 2 (Install without Drivers)."
	echo "2. After rebooting, go back to the main folder and run './local-setup.sh'"
	echo " Choose Option 2 (Install DAMX Suite (without drivers))."
	else
	echo "2. After rebooting, enroll the Secure Boot key if prompted."
	echo "3. Then run './local-setup.sh' and choose Option 2 (Install DAMX Suite (without drivers))."

[Copilot]

The reference to 'Option 2 (Install without Drivers)' on lines 302 is inconsistent with the current menu options in local-setup.sh. After the menu update, Option 2 is "Install DAMX Suite (without drivers)". Update this reference to match the current menu structure.

Suggested change

	echo " Choose Option 2 (Install without Drivers)."
	else
	echo "2. After rebooting, enroll the Secure Boot key if prompted."
	echo "3. Then run './setup.sh' and choose Option 2 (Install without Drivers)."
	echo " Choose Option 2 (\"Install DAMX Suite (without drivers)\")."
	else
	echo "2. After rebooting, enroll the Secure Boot key if prompted."
	echo "3. Then run './setup.sh' and choose Option 2 (\"Install DAMX Suite (without drivers)\")."

[Copilot]

The exec sg input -c "$0 $@" command on line 49 will re-execute the script with the input group active, but it doesn't preserve the original process tree context. If this script is launched by a process monitor or systemd, the exec call could break the parent-child relationship. Additionally, using $@ without quotes could cause issues with arguments containing spaces. Use "$@" with proper quoting instead.

Suggested change

	# This re-runs the script with the new 'input' group active immediately
	exec sg input -c "$0 $@"
	exit 0
	# This re-runs the script with the new 'input' group active immediately,
	# preserving argument boundaries and the original process tree context.
	CMD=$(printf '%q ' "$0" "$@")
	sg input -c "$CMD"
	exit $?