Fedora 40, nvidia-drivers and secure boot

After double checking your previous answer, I just saw you have a signer with similar structure than mine and not just “Fedora” which was what I thought I had read before. I guess @computersavvy 's hostname is “fedora”.

So I guess it’s not “automatic”; it is if you enroll an extra key generated by akmods at install time.

Which is convenient, but in turn you’re opening the door of your bootloader to whichever module that gets pulled by any RPM Fusion package, which is a much wider community than the one behind Fedora.

I’m not saying that this is inherently dangerous, but we’d be widening our risk surface quite a bit.

EDIT: who does the akmods’ key belong to

Are you sure that they aren’t already signed by the akmods certificates fond in /etc/pki/akmods/{private,certs}? You can sign the modules with additional certificates if you wish. The important point is that the certificate used to sign the modules is also enrolled in the MOK.

As I was saying in the responses after the post you quoted, they were signed, but you need to manually enroll the akmods auto-generated key.

This is something that, unless you know you have to do, or fwiw unless you know that there’s a readme that you should read, you most likely won’t do and it would make it a bit ineffective.

I wonder if DNF (or the UI frontends like Gnome Software) would support some sort of user messages or banners to call your attention to read the REAMDE and considier enrolling the key. Or if it would be better to implement the akmods as a DNF plugin instead.

The rpmfusion site is a trusted site so that seems a very minor security risk. The same risk applies to any package that would compile a kernel module with either dkms or akmods and applies to almost all distros whether rpm based or deb based.

The key used by akmods to sign the module is locally generated on the host. That key is then used to sign the module every time a new one is required to be compiled.

It seems you may have previously missed the step at Howto/Secure Boot - RPM Fusion which shows how to configure your system to locally sign modules as they are compiled and to import that key into bios so secure boot accepts the module being loaded.

It is good that you identified the issue and corrected it. :+1:

Your issue however is hidden in this thread since it only applies to A) VirtualBox and b) locally signing the modules for secure boot. The original poster was asking specifically about the nvidia drivers and secure boot while yours was specifically about virtual box. Not off topic, but hidden as a sub-topic.

In this case it is signed by the DKMS certificate and the key you need to enroll should be somewhere in the directory /var/lib/dkms. Read /usr/share/doc/dkms/README.md for the details.

1 Like