Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

  1. #11

    Default Re: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

    Quote Originally Posted by nrickert View Post
    I can't check on that because I am not using either nvidia or broadcom drivers.

    It is my understanding, that the nvidia drivers are signed. But I think they are signed with a different key. At some time during boot, you probably got a blue screen asking you to add a key. And if you selected "continue" then the key was not added. That could be the problef for nvidia drivers.

    For the broadcom drivers -- those come from packman. As far as I know, the packman maintainers do not have access to the openSUSE signing key. So you would need to create your own key and sign the modules yourself with that.

    I think you only need "dkms" if you are building the modules yourself. If you are installing prebuilt modules, you should not need it.

    The key for checking signatures should be in "/etc/uefi/certs". The signing key is, I hope, carefully protected by openSUSE administrative people. If you want to sign modules yourself, you will need to create your own signing key.
    As you can read in Bug 1175210 - [Leap 15.2] [x11-video-nvidiaG05] Drivers not working with SecureBoot enabled, i didn't even get a blue screen asking to add "the key" (which is actually a certificate and not a key)
    Furthermore the nVidia kernel-module is compiled at the machine that is installing the nVidia drivers, thats how nVidia provides its drivers.
    Anyway it seems there is something wrong with this whole that's why i participated on the bug tracker and posted the above bug report...

  2. #12

    Default Re: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

    Quote Originally Posted by nrickert View Post
    As far as I know, systemd-boot does not support secure-boot at all.
    That's correct for both Systemd-boot and grub and others alike, because that is the job of the shim.
    I use the shim in the same way as grub does eg, let shim chain-load Systemd-boot directly without grub in between them

  3. #13
    Join Date
    Sep 2012
    Posts
    5,859

    Default Re: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

    Quote Originally Posted by TriMoon View Post
    That's correct for both Systemd-boot and grub and others alike, because that is the job of the shim.
    shim only verifies bootloader. grub explicitly verifies kernel using shim interface. sd-boot does not.

  4. #14

    Default Re: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

    Quote Originally Posted by arvidjaar View Post
    shim only verifies bootloader. grub explicitly verifies kernel using shim interface. sd-boot does not.
    The source code does not agree with that statement...

  5. #15
    Join Date
    Sep 2012
    Posts
    5,859

    Default Re: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

    Quote Originally Posted by TriMoon View Post
    The source code does not agree with that statement
    Well, actually it does but you are right - current sd-boot also supports shim validation (by installing EFI security policy hooks, so any image will be subject to shim verification in addition to built-in firmware verification).

    Hmm ... current shim also supports installing security policy on its own. SUSE builds shim without this support.

  6. #16

    Default Re: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

    Quote Originally Posted by arvidjaar View Post
    Hmm ... current shim also supports installing security policy on its own. SUSE builds shim without this support.
    Hmmm interesting, not quote sure what you exactly mean by that because the security policy is something the UEFI provides and shim just proxies requests to it while adding support for using the MoKList in the chain of trust AFAIK...
    (A little simplified explanation of shim workings there ofcourse)
    Do you mean current shim actually replaces/adds the security policy if the machine has no UEFI or missing/old SecureBoot functionality?

  7. #17
    Join Date
    Sep 2012
    Posts
    5,859

    Default Re: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

    Quote Originally Posted by TriMoon View Post
    the security policy is something the UEFI provides
    It is possible to override code implementing security policy by custom implementation. Try to actually read and understand what code you yourself pointed at does.

  8. #18

    Default Re: Fresh install.on ASUS X99-PRO/USB3.1 Motherboard

    Quote Originally Posted by arvidjaar View Post
    It is possible to override code implementing security policy by custom implementation. Try to actually read and understand what code you yourself pointed at does.
    Ok so your answer to my last question is that the current shim indeed replaces the security policy provided by the UEFI...
    (If i didn't understand the code i would not have asked that question , you just didn't understand my question which is no problem as it is solved now)

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •