Will Startech Ubuntu Drivers work for Fedora?

Hi @gnwiii I provided a url to download the appropriate rpm in an earlier post. That’s been installed and DKMS appears to have correctly built the module for the active kernel.

We’re just stuck now as secure boot is enabled but the local dkms signing key is not added to the UEFI trust store, hence the module cannot be loaded.

As I outlined there’s two ways forward

  1. Load the dkms key into the trust store
  2. Disable secure boot

Can confirm the Google Pixel USBC cables do work for data and charging+Fast. I own 2 Pixels 3XL & 6Pro.

1 Like

Adding the machine owner key to the UEFI trust store is described in the dkms README. It isn’t clear if a MOK was generated and enrolled (if so mokutil --list-enrolled would have it).

I’m not sure if the problem is a bug, a side effect of a manually downloaded 3rd party rpm. It could be useful to see what journalctl has for MOK with journalctl --no-hostname -b -g MOK | cat.

I’m getting a bit confused now. I’d rather not disable secure boot ideally, unless I hear good arguments as to why it’s not providing any real ‘security’

I ran that command, here’s the output:

Apr 03 23:15:12 kernel: efi: ACPI=0x7affe000 ACPI 2.0=0x7affe014 TPMFinalLog=0x7af3e000 SMBIOS=0x716fd000 SMBIOS 3.0=0x716fb000 MEMATTR=0x6ba68018 ESRT=0x6ba73d18 MOKvar=0x71897000 RNG=0x7af90018 TPMEventLog=0x5fcac018 
Apr 03 23:15:12 kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Apr 03 23:15:12 kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)

So 2 MOK’s are being loaded. You didn’t say what you found with:

Mine shows 2 keys, one with

        Issuer: C=US, ST=Massachusetts, L=Cambridge, O=Red Hat, Inc., OU=Fedora Secure Boot CA 20200709, CN=fedoraca

and one issued by me (my other system with Nvidia is an old iMac, so a MOK is not needed).
Use journalctl --no-hostname -b -g X.509 see more details of the certificates that are loaded (note that this includes some additional certificates not relevant to the DisplayLink device.

Apr 01 10:38:22 kernel: cfg80211: Loading compiled-in X.509 certificates for regulatory database
Apr 01 10:38:22 kernel: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
Apr 01 10:38:22 kernel: Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'

Sorry I didn’t really understand your first paragraph so missed that. here’s my output from ‘mokutil --list-enrolled’:
Scratch that, got loads of output. But IF I understand it, it only has 1 “key” referred to as [key 1]
A bit of text that looks like what you pasted from your end:

   Issuer: C=US, ST=Massachusetts, L=Cambridge, O=Red Hat, Inc., OU=Fedora Secure Boot CA 20200709, CN=fedoraca
        Validity
            Not Before: Jul 13 17:31:16 2020 GMT
            Not After : Jan 19 03:14:07 2037 GMT

Not sure if that helps?

If you want to use secure boot, you will need to generate a [MOK per theinstructions at the DisplayLink copr repo (crashdummy/Displaylink Copr) and sign the module. The instructions say “Now you can sign the evdi module. This must be done for every kernel upgrade” – not sure why dkms doesn’t handle the signing.

1 Like

Thanks. I see, pretty complex especially to do every time. Will have a think. In mean time, could you give me a rough idea of how often a kernel upgrade tends to happen, on average?

We’re not using the packages from copr. I posted a link previously to a procedure that should be one time only

https://www.reddit.com/r/tuxedocomputers/comments/12s6evs/this_is_how_i_set_up_secure_boot_with_fedora_and/

1 Like

Al, I struggled through the instructions on that page. I wasn’t sure on some but guessed my way through successfully I think. my path was same as the user on reddit. so I used the command given there. It asked for my password (twice) to do the --import command. Seems to have accepted the command.

Next it says to reboot, and now i see it says “you can now enable secure boot”. Oops, I never disabled SB on this machine, should I have before doing the above?!

Not sure what this MOK menu thing is about, if I need to use keys to get to boot/bios/grub menu. I will just reboot now and see what happens, will report back. It’s fun doing stuff like this when you haven’t a clue (read that in a sarcastic tone :smiley: )

thanks again for your great help in this thread

Ok, well that didn’t seem to work. I rebooted twice, didn’t prompt me with any menus. Any advice appreciated when you get a sec, thanks, inching closer!

Unless you’re running a MSI motherboard, in which case if you upgrade the BIOS/firmware it will re-enable (in)Secure Boot without asking, and will set the MSWin EFI boot active and disable Fedora.

Strange, it just worked when I did it on my laptop (also Lenovo).

Can you confirm there’s still only one cert list in mokutil?

mokutil --list-enrolled

And what’s the current state of SB

mokutil --sb-state

Added displaylink, docking-station and removed lenovo

Thanks

Yep, looks like only 1 key. I see “[Key 1]” but no [key 2] anywhere.

“Secureboot enabled”

I wonder if I did something wrong, but do’nt think so. The only part I got stuck was where it said:

“5: reboot your computer, you should get MOK Manager, press a key to get to the menu”

I just had normal reboots. But the last part of that line made me wonder if I should be pressing a certain key combo to bring up a menu?

thanks again

Can you run the import again

sudo mokutil --import /var/lib/dkms/mok.pub

I’m assuming you get prompted to enter a password here?

Then before you reboot run

sudo mokutil --list-new

and verify that it reports the certificate you’ve just imported. If --list-new doesn’t report the cert then the import has failed for some reason and a reboot will be pointless. If it does report the cert then attempt the reboot and see if the MOK enroll menu appears this time.

1 Like

Ok, I will report exactly what happens:

It asked for sudo password, which I entered. Then it asks “input password”. I enter same password again. Then it asks “input password again”. I enter same password yet again! Submit and comes back to dollar prompt, no msgs. Looks like it worked (i think?!)

Then I ran:

The complete output I get is below (redacted bits i thought may be sensitive):

[key 1]
SHA1 Fingerprint: [redacted]
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            [redacted]
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=DKMS module signing key
        Validity
            Not Before: Mar 28 20:30:02 2024 GMT
            Not After : Mar  4 20:30:02 2124 GMT
        Subject: CN=DKMS module signing key
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                   [redacted]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
               [redacted]
            X509v3 Authority Key Identifier: 
                [redacted]
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
       [redacted]

I don’t really know what you mean here. I hoped my output pasted above may answer that?

I won’t reboot for now

Thanks

That looks good. The DKMS certificate has been imported.

The second and third passwords (that is the same password repeated) you were asked to enter are not your sudo password. It’s a one-time password you will be asked to enter if/when you get to the MOK enroll menu. If you used your sudo password, that’s fine, but just for info it could have been anything, as long as you remember it.

Try the reboot now and see if you get to the MOK menu :crossed_fingers:

1 Like

Thanks again

Well that was scary. I rebooted but before Fedora closed down it said I needed to enter a password to authenticate to reboot due to a ‘program running’. Never seen that before. I entered it and it rebooted, but seemed to hang for ages. I had a power cut due to storms at that exact moment (which doesn’t affect a laptop!) but i had to run away to turn stuff back on. When I returned i had the Yoga Fedora boot up screen which was going nowhere so I force rebooted with power button (while kicking myself for not yet having backups organised!).

It booted up and boom, blue UEFI menu. I had to guess the options as couldn’t remember but I did what the instructions said, enroll MOK (I am 99% sure I did that, quite stressful here at the mo and my memory isn’t what it was!). It showed me a screen with the key which mentioned ‘DKMS’ so I was pretty sure all was good, hit to confirm, entered password, continue. All seemed to go fine. I rebooted.

But… tried hdmi and display port cable from Startech dock, no change, no workie :frowning:
Any more suggestions welcome! If I have to just use HDMI from laptop, so be it, but would be nice to get it working all via the USBC.
thanks

List the enrolled certs again, so we can verify if the DKMS cert has been successfully enrolled

sudo mokutil --list-enrolled

If it has, then check if the evdi module is loaded

lsmod | grep evdi

If that command returns nothing then attempt to load the module manually.

sudo modprobe evdi

If you are able to verify the module is loaded and the dock is still not working then check the logs

sudo dmesg | grep evdi

1 Like