My Broadcom-WL drivers did not work with Secure Boot on. modinfo wl showed that they are signed. Investigated a bit and found that Fedora Secure Boot CA is expired in Fedora 37. It should be like this? Is it auto generated on install? Or we have past date on purpose?
Checked cat /boot/config-6.0.18-300.fc37.x86_64 | grep CONFIG_MODULE_SIG_ALL - was on (“y”).
I have enrolled new certs with /usr/sbin/kmodgenca (/usr/share/doc/akmods/README.secureboot), removed Broadcom-WL, installed Broadcom-WL again - all started to work with Secure Boot.
Version: 3 (0x2)
Serial Number: 2574709492 (0x9976f2f4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Fedora Secure Boot CA
Not Before: Dec 7 16:25:54 2012 GMT
Not After : Dec 5 16:25:54 2022 GMT
Subject: CN=Fedora Secure Boot CA
To conclude - I think Fedora Secure Boot CA is unrelated with loading 3rd party kernel modules. Fedora 37 generated certificates on install, I just had to import them with mokutil --import /etc/pki/akmods/certs/public_key.der. How to do it is in /usr/share/doc/akmods/README.secureboot
Quote from README.secureboot
- Ask MOK to enroll new keypair with certificate with the command
`mokutil --import /etc/pki/akmods/certs/public_key.der`.
- mokutil asks to generate a password to enroll the public key.
- Rebooting the system is needed for MOK to enroll the new public key.
- On next boot MOK Management is launched and you have to choose
- Choose "Continue" to enroll the key or "View key 0" to show the keys
- Confirm enrollment by selecting "Yes".
- You will be invited to enter the password generated above.
WARNING: keyboard is mapped to QWERTY!
- The new key is enrolled, and system ask you to reboot