Previously, I replaced GRUB with systemd-boot, and this made shim removed from my system. When I tried to install the Nvidia driver with secure boot enabled, I cannot enter MOK management as the RPM official guide suggests. BTW, I use sbctl to sign my .efi files. Is there any way that I could install the Nvidia driver in my case? Any help is appreciated. Please feel free to let me know if additional information is needed. Thank you everyone!
Are you saying that the 2 commands needed (mokutil and kmodgenca) are not working?
At the rpmfusion site and in the file /usr/share/doc/akmods/README.secureboot those are the only appropriate commands for getting the signing key generated and enrolling the key into the bios.
Then I assume you use sbctl to enroll all your keys. It should also be possible to enroll the akmods key as well using sbctl. These keys are found in /etc/pki/akmods/.
I should have been more precise. Those commands worked fine. As far as I know, I had to reboot to enter MOK management, but the reboot actually went back into my Linux system.
I will look into these keys, and I will see what I get.
Remember that the mok is a feature of the shim, and without shim there is no mok. Instead, with sbctl you enroll your certificates directly to the db, and you can get a list of these certificates using the command mokutil --db --list-enrolled.
My understanding is that mok is part of the uefi bios.
Sorry, but it is not. The whole reason for the shim is to implement the mok keystore.
2 Likes
As far as I know, sbctl only signs .efi files. So I suppose that I may have to sign the akmod-nvidia package manually?
It is probably already signed. To check that, run the command modinfo nvidia -F signer. You then need to enroll the signing key into the db store and the key is found at /etc/pki/akmods/certs/public_key.der.
Not if you installed the nvidia driver from rpmfusion.
Akmods creates the key and automatically signs the module when it is created. The only manual part is enrolling the key into bios as shown in the file I referenced above
/usr/share/doc/akmods/README.secureboot which is done with the âmokutilâ command as a one time action. Every time a new module is built with either a kernel upgrade or a driver update the new module is automatically signed.
You can easily verify that as mentioned by Villy above. modinfo -F signer nvidia
You canât do that if you have chosen to boot with sd-boot without shim. In this case, the key needs to be enrolled directly into the db store as there is no mok store available without the shim. The sbctl command should be able to do that, but that is a question for a different expert.
1 Like
True,
If not using uefi for booting it cannot be done the ânormalâ way and it is up to the user to work around that issue.
With modern versions of sd-boot uefi and secure boot is quite possible though.
Booting with sd-boot without shim is still UEFI booting, and secure boot is still possible, but not straight forward and not supported by Fedora.
After playing around for a couple of days, I found that installing akmod-nvidia itself will enable to run modinfo -F version nvidia with no issues. But when I ran dnf install xorg-x11-drv-nvidia-cuda and nvidia-smi, I got âNVIDIA-SMI has failed because it couldnât communicate with the NVIDIA driver.â I suppose there is something wrong with my installation.
BTW, is the tool to enroll key into db ssh-keygen? Sorry, I am very new to Linux and Fedora.
ssh-keygen is for generating keys yoused by the ssh command. Not even remotely anything to do with secure boot. I would suggest to read Unified Extensible Firmware Interface/Secure Boot. It is for the arch destribution, which doesnât provide a shim for booting in secure mode.
I myself wouldnât even try to boot without the shim so I canât tell how exactly how to do this. Also, I donât have any nvidia problems as my system donât have nvidia.