Hello everyone, it is my first time posting in this forum, I’m sorry if I might do something wrong.
Basically, I have a notice in System Settings > Privacy and Security >
It says something like “your hardware doesn’t pass security checks”, “linux kernel verification failed” and that Secure Boot is disabled.
I’m just not sure if I did anything right, in BIOS I’ve turned on TPM 2.0 support, but still it doesn’t work.
A long time ago, I had Windows 10 on this PC, I needed to enable TPM 2.0 so I could use some applications that require it, and it would work on first try.
I’d really appreciate if you could help me, I’ve been trying to find some info about this on internet, but to no avail.
Thanks!
Hi, after enabling Secure Boot in UEFI/BIOS, you need to enroll your MOK (Machine Owner Key). Have you tried this? For Nvidia drivers and other unsigned drivers, a MOK is required. You’ll need to enroll it by rebooting and following the prompts in the MOK manager. This allows the UEFI to trust the drivers
Here is the output of the commands
I’m not able to copy and paste it here, sorry, so I have to use my camera instead.
Could this issue be related to Nvidia drivers?
I’ve tried to look it up, and it seems that after installing Nvidia drivers I was supposed to enter mokutil window? But in my case, this did not happen.
“Platform is in Setup Mode” means that all the secure boot keys has been removed. Some UEFI implementation might have a setup option to bring them back. Otherwise a utility like sbctl night install some keys in the kerystores like the PK, the KEK and the db store.
I’ve found a way to turn on Secure Boot, I needed to do it twice for some reason, in the Security tab and Advanced > Windows OS config then switch to uefi, and enable secure boot (msi)
But now after that, I was able to enroll MOK, except for a fact that now I have a different error, that I have an invalid key. I tried to reset TPM through UEFI but this did not help either
I can also provide you some technical report if you need to, I though it might be useful: https://postimg.cc/gallery/zYsX9XZ
I was forced to use image hosting website because the forum does not allow me to upload these.
As for the firmware, my BIOS version is up-to-date, and I have updated my system today. Might just run the command you provided (just in case)
There’s no point in trying to get a good device security score when using MSI hardware. There is no security.
If you’re worried about bootkit malware, then you should recycle your motherboard and start over with something that’s not manufactured by MSI.
If you’re not worried about bootkit malware, there’s little reason to ever look at the device security panel (except you can use the technical report to verify that IOMMU is enabled, which is useful to block direct memory access by USB devices).
Experiencing the same message since upgrading to F42 last week, as are others it would appear. Everything was fine in previous versions of Fedora. Doing a reinstall did not achieve anything.
As was already noted above you MUST enable secure boot in the bios setup.
After secure boot is enabled and you have rebooted you must follow the steps in the file /usr/share/doc/akmods/README.secureboot
Then you must rebuild the nvidia driver with the enrolled security key with sudo akmods --rebuild --force so it rebuilds the driver with the key enabled.
A final reboot should properly load the drivers.
Hello! I decided to reinstall the system entirely and enable Secure Boot right after installing it. Surprisingly, it has worked and now the “Security” tab shows that it is actually enabled. However, the “hardware does not pass basic security checks” is still here, and I have no idea how to fix it, because this message does not provide any clear guidance on what’s wrong. However, it says that I can copy “technical report”, maybe this could help you, or something