subvert0r
(subvert0r)
July 23, 2022, 3:37pm
1
I installed fedora silverblue 36 (as my secure boot was already on, previous OS was Ubuntu).
But then i just noticed that i can insmod
any module that i just built!
Followed this:
Hi, I recently upgraded from 34 to 35 and secureboot was working fine.
I was unhappy with bloat in the 35 and so I decided to reinstall.
On starting the new install I couldn’t boot unless I disabled secure boot in the bios.
How do I install secureboot so that kernels are signed (or do I sign ostree sysroot?) on update?
mtia
My /boot/efi/EFI/fedora/grub.cfg
content is the same as the answer to that post, and my fedora line in efibootmgr -v
is:
Boot0000* Fedora HD(1,GPT,xxx)/File(\EFI\FEDORA\SHIMX64.EFI)
And secure boot is still on in my UEFI setting.
dmesg | grep secureboot
output:
“secureboot: Secure boot disabled”
bootctl
output:
Secure Boot: disabled (unknown)
So what is happening, why is secure boot not working even tho secure boot is on in my UEFI?
dalto
(dalto)
July 23, 2022, 5:08pm
2
It can’t be? If your system was enforcing secure boot and fedora wasn’t, it wouldn’t boot.
subvert0r
(subvert0r)
July 23, 2022, 6:45pm
3
That’s what’s confusing me, but this is a picture from my UEFI setting (its asus VIII hero):
And i can’t make sense of it.
Another funny thing is that my nvidia drivers that are loaded are not even signed, even tho i followed these guides:
Howto/NVIDIA - RPM Fusion (and the secure boot guide page which signs the modules)
which seems to be related to this problem:
opened 11:13AM - 11 May 22 UTC
enhancement
**Describe the bug**
When using rpm-ostree, akmods does not sign compiled modu… le with keys found in `/etc/pki/akmods`.
**To Reproduce**
1. `# /usr/sbin/kmodgenca`
2. `# mokutil --import /etc/pki/akmods/certs/public_key.der`
3. Reboot and enroll
4. Overlay an akmods module package(like nvidia driver)
5. Reboot
**Expected behavior**
Modules will get signed with the keys, just like when I run akmods manually.
**OS version:**
```
State: idle
BootedDeployment:
● fedora:fedora/36/x86_64/silverblue
Version: 36.20220511.0 (2022-05-11T00:48:12Z)
BaseCommit: 5c70836453ffbd07757cabeb4c1de5389b95d45d7ec6fe8d2397084e1587fcd7
GPGSignature: Valid signature by 53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4
LayeredPackages: fish nvidia-driver
```
Note that my secure boot worked fine when i was using Ubuntu, and only signed modules were able to load.
And I’m not even able to turn the secure boot state off from the UEFI bios settings, can’t even select it, it just says that its enabled! And my UEFI firmware is the latest version.
dalto
(dalto)
July 23, 2022, 7:12pm
4
Some BIOSes require OS Type to be set to WIndows for Secure Boot to work. Is that the case with yours?
subvert0r
(subvert0r)
July 24, 2022, 3:14am
5
Not that i know of, because when i was using Ubuntu with secure boot it was selected as other OS as well and everything was working as intended.
Are you suggesting i should set this setting to windows to resolve the problem? Is there any risk in changing this?
And i assume i should try to sign my nvidia drivers before trying any solution, because if not it will brick the system right? Probably have to follow up with that github issue that i posted and see if any of the solutions work.
subvert0r
(subvert0r)
July 24, 2022, 2:24pm
6
I also get the following in the journalctl -xb
output when i grep -i secure
:
Jul 24 16:38:17 fedora kernel: secureboot: Secure boot disabled
Jul 24 16:38:17 fedora kernel: secureboot: Secure boot disabled
Jul 24 16:38:21 fedora systemd[1]: [akmods-keygen@akmods-keygen.service](mailto:akmods-keygen@akmods-keygen.service) - Akmods Secure boot MOK Key Generation was skipped because all trigger condition checks failed.
subvert0r
(subvert0r)
August 5, 2022, 5:34am
7
Another thing i noticed is that the nvidia-powerd.service service is failing:
systemctl status nvidia-powerd.service
× nvidia-powerd.service - nvidia-powerd service
Loaded: loaded (/usr/lib/systemd/system/nvidia-powerd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-08-05 07:57:22 +0430; 2h 0min ago
Process: 859 ExecStart=/usr/bin/nvidia-powerd (code=exited, status=1/FAILURE)
Main PID: 859 (code=exited, status=1/FAILURE)
CPU: 4ms
Aug 05 07:57:22 fedora systemd[1]: Starting nvidia-powerd.service - nvidia-powerd service...
Aug 05 07:57:22 fedora /usr/bin/nvidia-powerd[859]: nvidia-powerd version:1.0(build 1)
Aug 05 07:57:22 fedora /usr/bin/nvidia-powerd[859]: No matching GPU found
Aug 05 07:57:22 fedora /usr/bin/nvidia-powerd[859]: Failed to initialize RM Client
Aug 05 07:57:22 fedora systemd[1]: nvidia-powerd.service: Main process exited, code=exited, status=1/FAILURE
Aug 05 07:57:22 fedora systemd[1]: nvidia-powerd.service: Failed with result 'exit-code'.
Aug 05 07:57:22 fedora systemd[1]: Failed to start nvidia-powerd.service - nvidia-powerd service.
Even tho the drivers are loaded just fine, and nvidia-smi
command shows me the proper driver version and everything works fine (gaming, etc)
Anyone has any idea what is happening?
Side note: I verified that nvidia driver is not signed using
lsmod drivername | grep sign
grumpey
(Joe)
August 5, 2022, 10:32am
8
Aug 05 07:57:22 fedora /usr/bin/nvidia-powerd[859]: No matching GPU found
Might want to double check the requirements, Chapter 23. Dynamic Boost on Linux
subvert0r
(subvert0r)
August 5, 2022, 1:48pm
9
Yeah when i run
nvidia-settings -q DynamicBoostSupport
I get this:
ERROR: Error resolving target specification '' (No targets match target specification), specified in query 'DynamicBoostSupport'.
But i assume this has nothing to do with the Secure boot problem correct?
subvert0r
(subvert0r)
August 5, 2022, 2:32pm
11
So i followed up the following solution to sign the nvidia drivers in silverblue:
https://github.com/fedora-silverblue/issue-tracker/issues/272#issuecomment-1170279690
Afterwards, i went into my UEFI settings and changed the OS type from Other OS to Windows UEFI mode, and it solved the problem:
dmesg | grep secureboot
[ 0.000000] secureboot: Secure boot enabled
[ 0.007731] secureboot: Secure boot enabled
bootctl
System:
Firmware: n/a (n/a)
Secure Boot: enabled (user)
So can anyone here make sense of what just happened? Why changing the OS type in my UEFI setting from other type to Windows UEFI mode solved the problem, even tho i do not have any Windows installed and i only have the silverblue as my main OS? Note that when i had Ubuntu, the OS type was Other OS, and secure boot worked without any problems.
And what is the effect of changing the OS type in UEFI setting from Other OS to Windows UEFI mode?