Question about Secure Boot, UEFI and NVIDIA

Hello everyone,

I am currently looking at different distributions and favor Nobara at the moment. So far I have been using Arch close distros like Manjaro and EndeavourOS. My question is about Secure Boot and related to using it with Fedora.

So far I used sbctl to create my keys and roll them out to the UEFI. Very important for me sbctl enroll-keys --microsoft the Microsoft keys must not be removed, my keys are appended to the MS keys. Otherwise my mainboard gets a soft brick, because then the graphics card refuses its service and the screen remains dark. Unlike before, when I had the soft brick experience, I no longer have an iGPU to save me from it. You don’t want to deactivate Secure Boot without a working monitor in the bios. It’s also good that Secure Boot is retained with a CMOS reset. That’s why I want to avoid this scenario at all costs when dealing with Fedora and Secure Boot.

I have not yet fully understood the use of mokutil. Are keys imported into the UEFI here or does it all take place in the shim bootloader?

Thank you very much for your help!

Added secure-boot

It is all in the shim. The mokutil adds additional keys into the Machine Owner Keys (mok) which is used a maintained by the shim. Normally you can’t add keys into the UEFI db store without having the Microsoft private key available or the private key of the company why manufactures the computer. The MOK allows you to add keys to the system without touching the manufacturer provided keys.

mokutil is used to manage Secure Boot keys in Fedora. When you enroll keys with mokutil, they are imported into the UEFI firmware’s MOK database, ensuring their trust during the Secure Boot process.