When I was installing Nvidia Drivers via RPM fusion in Fedora 40, I landed in the part regarding secure boot (I have it).
I followed all the steps and all went fine and Nvidia drivers are up and running. But there is a step that I had to skip and my brain is bugging me real bad about it. There is a part of the instructions that I am struggling with, and it is regarding securing the key:
Because the Secure Boot key is available locally on your computer, (by default it’s in /etc/pki/akmods) you might need to consider encrypting your rootfs as appropriate in order to protect the key. Please consider this as a mandatory requirement, or consider to transfer the key to an external (and secure) location. or even use an hardware token.
I see on that directory 2 files, one with the public key and another with a .der file. Should I remove them from the directory? I am kinda scratching my head about this. Any advice would be appreciated.
If you’re really feeling paranoid about it, reinstall the system with full disk encryption, but you should keep the keys where they are because this is required by the akmods service to sign the new module every time you update the driver.
Thanks, you added a lot of clarity about the fact that I should keep the keys there.
If I’m understanding you correctly, the warning on the page is mostly directed to avoid risks of physical tampering. Am I right on this? I am not really concerned about that one since my PC seldom leaves my home