Re: Working with secureboot

Tue, 22 Jul 2025 07:23:24 -0700 


On 7/21/25 5:05 PM, Todd Zullinger wrote:

Robert McBroom via users wrote:

On 7/18/25 5:54 PM, Todd Zullinger wrote:

following command, run as root:

      mokutil --sb-state

Secure boot is enabled in the bios. Yes fedora recognizes that.

If it says only "SecureBoot enabled" then try listing all
the enrolled keys (-la is short for --list-enrolled --all):

      mokutil -la

You can compare it to the output from working hosts.

mokutil -la
[MokListRT]
2bb010e24d fedoraca
9e15c765a1 HPZ440.attlocal.net-939547965

This is what the cert generated by kmodgenca looks like.  Is
it from the host where mokutil --import fails?

If so, then it seems like things did work at one point and
now you might just need to ensure that it matches the key
which is on the filesystem and that is the key used to sign
the nvidia kernel module which akmod has generated.

You can check that the key matches with the --test-key
option, I believe:

     mokutil --test-key /etc/pki/akmods/certs/public_key.der

To check that the module is signed by that key, run these
commands to and check that the hashes match (they'll differ
in case, but that's OK here):

     modinfo nvidia | grep sig_key:

     openssl x509 -in /etc/pki/akmods/certs/public_key.der \
         -noout -text | grep -A1 'Serial Number:'

(Only the second one _needs_ to be run as root.)

If those match, then the signature _should_ be fine.  Then,
if the system is not loading the nvidia module, there is
some other reason for it which will need to be determined.


Lots of similar entries to the last line. The first three
seem to be fedora specific and are seen on all three
fedora installations.

The one which has the hostname should differ between each
host, I would think. :)
Sharing /boot/efi between the installs is apparently the problem. Even though the hostname is different the certification will not register.  The keys between the two installations are different 
--
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to