Re: Working with secureboot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 7/21/25 5:05 PM, Todd Zullinger wrote:

Robert McBroom via users wrote:

On 7/18/25 5:54 PM, Todd Zullinger wrote:

following command, run as root:

      mokutil --sb-state

Secure boot is enabled in the bios. Yes fedora recognizes that.

If it says only "SecureBoot enabled" then try listing all
the enrolled keys (-la is short for --list-enrolled --all):

      mokutil -la

You can compare it to the output from working hosts.

mokutil -la
[MokListRT]
2bb010e24d fedoraca
9e15c765a1 HPZ440.attlocal.net-939547965

This is what the cert generated by kmodgenca looks like.  Is
it from the host where mokutil --import fails?

If so, then it seems like things did work at one point and
now you might just need to ensure that it matches the key
which is on the filesystem and that is the key used to sign
the nvidia kernel module which akmod has generated.

You can check that the key matches with the --test-key
option, I believe:

     mokutil --test-key /etc/pki/akmods/certs/public_key.der

To check that the module is signed by that key, run these
commands to and check that the hashes match (they'll differ
in case, but that's OK here):

     modinfo nvidia | grep sig_key:

     openssl x509 -in /etc/pki/akmods/certs/public_key.der \
         -noout -text | grep -A1 'Serial Number:'

(Only the second one _needs_ to be run as root.)

If those match, then the signature _should_ be fine.  Then,
if the system is not loading the nvidia module, there is
some other reason for it which will need to be determined.


Lots of similar entries to the last line. The first three
seem to be fedora specific and are seen on all three
fedora installations.

The one which has the hostname should differ between each
host, I would think. :)
Sharing /boot/efi between the installs is apparently the problem. Even though the hostname is different the certification will not register.  The keys between the two installations are different 
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux