diff --git a/third-party/zen-pmu-workaround/Makefile b/third-party/zen-pmu-workaround/Makefile
index 04afb1fbf2c..b7188fef2a6 100644
--- a/third-party/zen-pmu-workaround/Makefile
+++ b/third-party/zen-pmu-workaround/Makefile
@@ -1,10 +1,28 @@
+KERNELRELEASE ?= $(shell uname -r)
+KDIR := /lib/modules/$(KERNELRELEASE)/build
+
+DKMS_NAME    := zen_workaround
+DKMS_VERSION := 0.1
+DKMS_SOURCES := Makefile dkms.conf zen_workaround.c README
+
 obj-m = zen_workaround.o
 
 all:
-	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+	$(MAKE) -C $(KDIR) M=$(CURDIR) modules
 
 signed: all
-	sudo /lib/modules/$(shell uname -r)/build/scripts/sign-file sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der zen_workaround.ko
+	sudo $(KDIR)/scripts/sign-file sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der zen_workaround.ko
 
 clean:
-	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
+	$(MAKE) -C $(KDIR) M=$(CURDIR) clean
+
+dkms-install:
+	install -d /usr/src/$(DKMS_NAME)-$(DKMS_VERSION)
+	install -m 0644 -t /usr/src/$(DKMS_NAME)-$(DKMS_VERSION) $(DKMS_SOURCES)
+	-dkms add     -m $(DKMS_NAME) -v $(DKMS_VERSION)
+	dkms build    $(DKMS_NAME)/$(DKMS_VERSION) --force
+	dkms install  $(DKMS_NAME)/$(DKMS_VERSION) --force
+
+dkms-uninstall:
+	-dkms remove $(DKMS_NAME)/$(DKMS_VERSION) --all
+	rm -rf /usr/src/$(DKMS_NAME)-$(DKMS_VERSION)
diff --git a/third-party/zen-pmu-workaround/README b/third-party/zen-pmu-workaround/README
index a94b79a7edb..13f295b09f4 100644
--- a/third-party/zen-pmu-workaround/README
+++ b/third-party/zen-pmu-workaround/README
@@ -5,3 +5,11 @@ This has the same effect as `scripts/zen_workaround.py`, but persists after resu
 There is no upstream, but we put it in third-party because it's technically a derived work of the Linux kernel. The license is GPL 2.0. See LICENSE at the root of this repo.
 
 If you rely on Secure Boot, assuming you have properly enrolled a new MOK key, you can issue `make signed` to build and sign the kernel module (signature will trigger sudo prompt). It will use the default path of `/var/lib/shim-signed/mok/` for the key.
+
+For a self-maintaining install that rebuilds across kernel upgrades, use DKMS: `sudo make dkms-install` (and `sudo make dkms-uninstall` to remove).
+
+DKMS signing is a one-time system-wide setup. With a MOK key in place, configure DKMS by creating `/etc/dkms/framework.conf.d/mok-signing.conf` with:
+	mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
+	mok_certificate="/var/lib/shim-signed/mok/MOK.der"
+
+Once configured, every DKMS module on the system (not just this one) will be signed with the enrolled MOK automatically.
diff --git a/third-party/zen-pmu-workaround/dkms.conf b/third-party/zen-pmu-workaround/dkms.conf
new file mode 100644
index 00000000000..489edc57658
--- /dev/null
+++ b/third-party/zen-pmu-workaround/dkms.conf
@@ -0,0 +1,8 @@
+MAKE="make"
+CLEAN="make clean"
+BUILT_MODULE_NAME=zen_workaround
+BUILT_MODULE_LOCATION=./
+PACKAGE_NAME=zen_workaround
+PACKAGE_VERSION=0.1
+DEST_MODULE_LOCATION=/kernel/drivers/misc
+AUTOINSTALL=yes