I have the Nvidia RMP driver istalled. When I tried to enable secure boot and boot linux the Nvidia driver did not get loaded so I had to disable secure boot. When I check modinfo I can see that the driver was signed with a key that goes something like fedora_123_abc and I see this same key inside /etc/pki/akmods/certs/. Do I need to enrole this key with MOK or first generate a new key and rebuild the driver to enable it to work with secure boot? Im not too familiar with signing drivers. The other question to ask would be when mooving the key to a secure location do I do that before or after rebuilding the driver/importing the key with MOK?
enroll the key
you need the key for a new kernel or nvidia driver update.
It should be enough to have a LUKS entrypted / filesystem protected with a strong PW 
Yes
The key must be enrolled as shown in the page linked above
Do not attempt to relocate the key as that will again break booting when there is a new kernel or driver update. The key must be in the present location so akmods can use it for signing newly built modules.
The directory where those keys are stored are only accessible by root and akmods so they are reasonably secure.
$ ls -lZ /etc/pki/akmods/
total 16
-rw-r--r--. 1 root root system_u:object_r:cert_t:s0 1387 Jul 28 2024 cacert.config
-rw-r-----. 1 root akmods system_u:object_r:cert_t:s0 1548 Sep 30 19:00 cacert.config.in
drwxr-x---. 2 root akmods system_u:object_r:cert_t:s0 4096 Sep 30 19:00 certs
drwxr-x---. 2 root akmods system_u:object_r:cert_t:s0 4096 Sep 30 19:00 private
Thank you for the reply. Before I enroll this key I just want to note that this key seems to be a default key that was generated as there is a file “cacert.config” that lists the very name of this key and the file says at the top “Default OpenSSL settings and configuration file for kmodgenca”. So should I enroll this key or generate a new one? Also if I leave the key in the same location how can I ensure that no script or software could ever use this key to install a malicious kernel mod? I am very security focused and I want to make sure that someone in the future cant just use some exploit to install a malicious kernel mod/driver like you can do on windows.
With all the problems of Windows 11. People are bound to at some point start moving to Linux causing cyber criminals to start targeting Linux and I would like to get ahead of the game and harden down my system even more. We already saw what happened with the Arch repository.
The file to use is shown clearly in the text file /usr/share/doc/akmods/README.secureboot. Follow those instructions and things should ‘just work’