9

I have recently installed Fedora 20 on a custom desktop PC with a ASUS Z87-K motherboard. Given some commonly known bugs, I have installed the NVIDIA proprietary driver for my GeForce 630, and disabled the nouveau driver.

After completing correctly the driver installation, during which the module was signed with a newly generated key pair, a x.509 certificate was created and automatically placed in

/usr/share/nvidia/certificate.der.

However, from that moment, the computer is unable to boot with the UEFI secure boot option enabled. When switching to textmode and running nvidia-modprobe, I find that the NVIDIA proprietary module was not loaded.

When I disable Secure Boot in the UEFI menu the computer boots and runs smoothly with the installed driver.

To avoid the drawback of booting in an insecure mode, I would like to know where to place the x.509 certificate of the NVIDIA module in order for it to be recognized by the kernel so I don't have to turn off Secure Boot.

Improve this question

2 Answers 2

Reset to default
2

You should be able to load the certificate using MokManager.efi so that it's recognized by Shim, and therefore accepted by the kernel. I don't know if Fedora sets its GRUB up so that you can launch MokManager.efi yourself. If not, try booting (with Secure Boot disabled) a USB flash drive with an EFI shell or rEFInd. You should then be able to launch MokManager.efi and load the certificate file. (It will need to be stored on the same disk as the MokManager.efi utility -- probably /boot/efi from within Fedora.)

I'm pretty sure there's a way to add the certificate to the NVRAM from within Linux so that Shim will notice it and ask if it should be used the next time you reboot, but I don't know precisely what it is. Presumably it would involve writing the file to somewhere in the /sys/firmware/efi directory tree.

That said, I've never had to do this specific thing myself, since I don't use proprietary video drivers on any of my computers. It's conceivable there's some extra step you'll need to take.

Improve this answer
1
  • 1
    Turns out you can use mokutil in the command line.
    – Fabián Heredia Montiel
    Commented Sep 17, 2014 at 12:03
2

You would want to use mokutil to enroll the key.

sudo mokutil --import <der file>

You can test if a key is enrolled with

mokutil --test-key <der file>
Improve this answer
1
  • Don't forget to reboot after importing the key.
    – leosh
    Commented May 15 at 11:11

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .