Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

https://wiki.debian.org/SecureBoot & Nvidia

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
ridnout
Posts: 7
Joined: 2022-12-07 15:06

https://wiki.debian.org/SecureBoot & Nvidia

#1 Post by ridnout »

Been with Debian since 2.4 on an upgrade path to Woody 3.0 and beyond. I started with an Inspiron 8200 when all that new hardware required workarounds for the wireless (ndiswrapper), discreet Nvidia GPU, you name it! I was there when suspend and hibernate were experimental. However, now, I am back this time trying to get Secure Boot, Debian, and Nvidia to play nicely. I might even learn a thing or two. As a new forum member, I have read posts here (not all 33 pages however) and all around google but have not been able to enjoy success with Secure Boot, Nvidia, and Debian.

Would someone please clarify some of the instructions found in the Secure Boot Debian Wiki?

I've been working on this for months and have come to the conclusion that my comprehension of the guide is lacking. As a precursor, I've created backups of the installation partitions just in case. I've used it as a basis for starting over and over to no avail.

Here goes:

1) At "Enrolling your Key", "If you also have a kernel to sign, you may wish to do the next step first as it will save you one reboot."--> Since I'm using the kernel from the repository, isn't it already signed? Can I skip this step? After the execution, I can remember getting message saying that a signature was already present and that this one would be appended.

2) Moving back to sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp" I get Permission denied
Trying with elevated prompt --> worked but got Image was already signed; adding additional signature. Ugghhh

3) Verifying if a module is signed shows signatures for all the modules in the directory (nvidia*.ko)

4) Next, find the location of the mok signing key and mok certificate. You can view the location in /etc/dkms/framework.conf, and the default location is /var/lib/dkms.

There is no mok.pub in /var/lib/dkms/ or system wide.
I have not touched /etc/dkms/framework.conf.

Thanks in advance.

ridnout
Posts: 7
Joined: 2022-12-07 15:06

Re: https://wiki.debian.org/SecureBoot & Nvidia

#2 Post by ridnout »

I've started over again with re-imaging the partition from a backup and updating as required.

From the directions, I skipped these two steps as linux-image-5.10.0-19-amd64/stable-security,now 5.10.149-2 amd64 [installed,automatic] Linux 5.10 for 64-bit PCs (signed) is obviously signed:

(1) $ sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
(2) $ sudo mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"

I have verified that all the modules in /lib/modules/5.10.0-19-amd64/updates/dkms are signed showing sig_id, signer, sig_key, sig_hashalgo, and signature.

However, the following command fails with error that mok.pub does not exist:
sudo mokutil --import /var/lib/dkms/mok.pub
Failed to get file status, /var/lib/dkms/mok.pub

mok.pub cannot be found anywhere in the system's directory tree.

Please, what am I missing?

At what point is mok.pub generated?

ridnout
Posts: 7
Joined: 2022-12-07 15:06

Re: https://wiki.debian.org/SecureBoot & Nvidia

#3 Post by ridnout »

To make a long story short-ish...

Because the kernel was already signed as well as the modules along with the key being enrolled, all that was required was a reboot.

Done. Finito.

Post Reply