Re: Working with secureboot

Mon, 21 Jul 2025 14:05:33 -0700 

Robert McBroom via users wrote:
> On 7/18/25 5:54 PM, Todd Zullinger wrote:
>> following command, run as root:
>> 
>>      mokutil --sb-state
> Secure boot is enabled in the bios. Yes fedora recognizes that.
>> If it says only "SecureBoot enabled" then try listing all
>> the enrolled keys (-la is short for --list-enrolled --all):
>> 
>>      mokutil -la
>> 
>> You can compare it to the output from working hosts.
> mokutil -la
> [MokListRT]
> 2bb010e24d fedoraca
> 9e15c765a1 HPZ440.attlocal.net-939547965

This is what the cert generated by kmodgenca looks like.  Is
it from the host where mokutil --import fails?

If so, then it seems like things did work at one point and
now you might just need to ensure that it matches the key
which is on the filesystem and that is the key used to sign
the nvidia kernel module which akmod has generated.

You can check that the key matches with the --test-key
option, I believe:

    mokutil --test-key /etc/pki/akmods/certs/public_key.der

To check that the module is signed by that key, run these
commands to and check that the hashes match (they'll differ
in case, but that's OK here):

    modinfo nvidia | grep sig_key:

    openssl x509 -in /etc/pki/akmods/certs/public_key.der \
        -noout -text | grep -A1 'Serial Number:'

(Only the second one _needs_ to be run as root.)

If those match, then the signature _should_ be fine.  Then,
if the system is not loading the nvidia module, there is
some other reason for it which will need to be determined.

> Lots of similar entries to the last line. The first three
> seem to be fedora specific and are seen on all three
> fedora installations.

The one which has the hostname should differ between each
host, I would think. :)

-- 
Todd

Attachment: signature.asc
Description: PGP signature

-- 
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to