Secure Boot, Bumblebee and Fedora - how to?

Question

I'm a happy user of Fedora 19 and I have it installed on a Samsung Series 5 laptop, which has an off board video card from NVidia - specifically a GeForce GT 630M. I managed to successfully install Fedora and dual boot it with Windows 8 (not via GRUB, but that's for another moment) and installed Bumblebee, since the Nouveau drivers cause the laptop to get really warm and don't provide a good energy management.

However, I can't get the Bumblebee compiled NVidia drivers to load - and I discovered that happens because of Secure Boot enabled! Since I don't know what kind of issue might arise from disabling Secure Boot, here comes my question: is there a way to make NVidia proprietary drivers load properly via Bumblebee without disabling Secure Boot?

I'm looking for some kind of signing which can make these drivers to load.

Answer 1

Only under rare circumstances will disabling secure boot cause issues, and those circumstances are those where malware tries to change your boot order. If the easiest solution to your problem is disabling secure boot, then that's the best option. Careful browsing habits and antivirus software in Windows combined with using Fedora as a primary or secondary OS will make it highly unlikely you'll ever get malware that secure boot would stop.

Answer 2

Yes, you now can. The current version of bumblebee includes a new config file called bumblebee-nvidia-sign.conf where you can set your signing keys.

• Search for "Signing Kernel Modules for Secure Boot" to learn how to create your keys, how to import them into the UEFI Secure Boot keys database, and how to sign drivers with them.
• For bbswitch you need to sign them manually. But that is very easy, simply create a script under /etc/kernel/postinst.d/ with the following line:

perl /usr/src/kernels/$KVER/scripts/sign-file sha256 $KEYPATH/private_key.priv $KEYPATH/public_key.der /usr/lib/modules/$1/extra/bbswitch.ko

And your system will run that script after every new kernel install. So dkms will compile the driver for the new kernel and this script will sing it.

Answer 3

Bumblebee now handle the driver signature by itself. On fedora 26 (should be the same on other releases) the full procedure is :

Install required dependencies dnf install openssl kernel-devel perl mokutil keyutils

Create and cd into a restricted directory such as /root/.kernel-keys

In this directory, create the file keyconf.config and paste the following content :

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

Execute the command to generate the key :

openssl req -x509 -new -nodes -utf8 -sha256 -days 36500  -batch -config configuration_file.config -outform DER -out public_key.der -keyout private_key.priv

Request addition of your key to the EFI

mokutil --import public_key.der

Type two time the same password. You will need it only for the next step.

Reboot your PC. A blue (or weird) screen will be prompted depending of your computer. I chose the second option, selected "key 0" then typed the password. The idea is to make your EFI accept the requested key. Your PC will restart.

Boot on Fedora then edit the file /etc/bumblebee/bumblebee-nvidia-sign.conf. Set the key created in the previous steps :

## Public and private keys to sing the drivers for systems with secure boot (full path)
## Note: the created public key must be imported into the UEFI.
Publickey=/root/.kernel-keys/public_key.der
Privatekey=/root/.kernel-keys/private_key.priv

Launch the bumblebee installation or run bumblebee-nvidia --debug to build the driver using the keys. It should work. I hope it helped !

Used for reference : https://docs.fedoraproject.org/en-US/Fedora/26/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html

Thanks to Fahad answer that helped me a lot.