Noob here, I have some questions about Secure Boot

Hello everyone,

I have decided to take the big step and abandon Windows.
After trying Ubuntu first, then Debian, I finally discovered that Fedora allows me to do some things much more simply and with less hassle.
On my old Asus laptop, I found alternatives to the applications I used with Windows - with three exceptions.
I also bought a new laptop where I will install Fedora directly and no Windows.
I discovered that Btrfs is excellent, as is Zram.

I had some minor issues configuring the Nvidia drivers for my old GeForce MX130, but I think this depends on my ignorance.
I will have an Nvidia on the next laptop, so I wanted to understand if I am doing something wrong.

From RPM Fusion, I saw that to install the Nvidia drivers; you have to launch from the shell:

sudo dnf install akmod-nvidia # rhel/centos users can use kmod-nvidia instead
sudo dnf install xorg-x11-drv-nvidia-cuda #optional for cuda/nvdec/nvenc support

On the restart, I got a message about the failed loading of Nvidia drivers (I don’t remember the exact text), and I understood that this probably depended on Secure Boot enabled in the BIOS.
Going back with Timeshift and disabling Secure Boot before installing the drivers, I noticed the message did not appear.
I had issues installing and signing Vmware Workstation Pro modules, too.
Disabling Secure Boot, everything works fine.

So I wonder: do I always leave Secure Boot enabled?
Can I turn it off entirely with Linux?

I hope to receive some info on this topic before moving on to others (the three exceptions I have not yet specified).

Thanks to everyone,
Piero

Usually having nvidia as a graphics card sometime create issues it is known to be the case for bsd and linux as nvidia drivers are not opensouce but a in last efforts by colabora and redhat nvk a new nvidia open source driver is already in process and queue for merged in linux kernel 6.6 and mesa 23.3 this is significantly better and usable also a note that now a days nvidia is actually updating there driver for linux and this are reliable.

Ah, this is interesting!
Thanks for sharing

Turning off secure boot works fine with linux. Of course the issue is that you lose some security without it. Like anyone could simply boot into the device with a usb and boot into a different OS and steal personal info.

I found this guide on RPM Fusion that deals with secure boot and how to have it enabled with third party drivers enabled.
https://rpmfusion.org/Howto/Secure%20Boot

That said, if you are comfortable with it, I would recommend removing secure boot entirely. Mainly because its possible you will have to resign the modules on an update.

Hello!
I followed that guide to sign Nvidia and, somehow, Vmware.
All my partitions will be encrypted, so I hope that the people will steal my laptop can’t access my data quickly.

Secure boot does not protect the boot chain for linux.
Turning it off is not a downgrade in security.

There are efforts under way to make secure boot for fedora truly useful.
But at the moment with grub that is not the case.

The technical issue is that linux needs to load the kernel+initrd as one signed unit and that is not the case today.

Interesting.
So, encrypting the entire disk is pretty good for security?
And for now, I don’t have to care about a secure boot.
I can’t wait to install Fedora on my new laptop.

Thanks!

The real fix for signed modules is they must be signed at the time compiled. Installing the drivers before creating the key and using mokutil to import it into the bios does not achieve that unfortunately.

The fix when this happens is really simple though.

1. remove the unsigned modules. For nvidia those can be seen with
   dnf list installed kmod-nvidia-$(uname -r)
   and removed similarly.
   sudo dnf remove kmod-nvidia-$(uname -r).

Once removed the modules may be recompiled and signed with
sudo akmods --force

A similar process can be used for the VirtualBox modules. Simply change the package name to kmod-VirtualBox-$(uname -r).

Note that this assumes one has installed both nvidia and VB from rpmfusion.

Once the modules have been recompiled so they are signed then a reboot with secure boot enabled should properly load them.

Updates done in the future will automatically sign the modules during the upgrade process.

Hello,
So eventually I have to do that just once for Nvidia and VMware (I own a license of workstation pro) and on every update I don’t have to care about signatures.
This is interesting, too!

Not necessarily the same for VMware since that is proprietary and I never use it so cannot speak to how it behaves with updates on linux.

The nvidia driver OTOH when installed from rpmfusion and properly signed should automatically manage updates for you.

Understood, thank you.

It prevents losing private data if a device is stolen.
Which is why my work laptop must use encrypted disk.
I also encrypt my home disks as well and my backups.

It will not help if the boot chain is compromised.
You will unlock the disk not knowing the hacker is now accessing you data.

Same here.

Sorry, I didn’t understand your sentence. May you rewrite it for clarity?
If I have an encrypted partition (and external encrypted backup) what can happen if the boot is compromised?

s/not/now/ …

To attack a system that uses secure boot and an encrypted disk.
I will replace your initrd with one that I crafted to tell me your unlock password.
Or inject a malware service into your system.
This assumes that I get physical access to your machine.

The work on unified-kernels prevents this attack. But that work is still being developed.

Understood. Thanks for explaining this to me.