After installing OpenSuse Leap 15.6 I noticed that the efivars filesystem was 96% full.
The largest file under /sys/firmware/efi/efivars was:
MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23
which at 47K is nearly 50% of the total usage. I assume this file contains a list of
enrolled keys but I don’t know.
Running “mokutil --list-enrolled” shows 49 keys - most of which are for various updates of the nvidia drivers. Everytime a new driver is installed I install a new key but I assume the old keys are not removed.
If I create a new directory and run “mokutil --export” files are created from MOK-0001.der to MOK-0049.der. I assume I could work out which are the keys for old versions of the nvidia driver and do “mokutil --delete ” to remove the keys that are no longer needed. The man page for mokutil says that this command will form a deleting request to shim - so I assume on re-booting the box I will be presented with the blue screens of the MOK Management utility and will have to confirm which keys are to be deleted.
So I have two questions - is this what I need to do to prevent the efivars filesystem
from filling up and does in work in the way that I think it does? I would be grateful
for any further information on the mokutil commands and the MOK Management application.
Of course not. It will just free some space once, but it has no impact on the future behavior.
They should be when NVIDIA package is removed. If you can reproduce it with enough evidences (certificates and packages present before and after NVIDIA installation/update, full output of zypper install) you most certainly need to open bug report.
Thank you for the reply. I will see what happens when the next release of nvidia drivers occurs and if I can get the evidence that the keys are not being deleted. I am a little confused as to why manually deleting the keys now would not free up space? Looking at the output of “mokutil --list-enrolled” shows that of the 49 keys enrolled, 46 of them are for nvidia going back to 2021. So presumably some of these could be deleted - I’m just unsure of the exact procedure to do this?
You can compare the existing certificates under /var/lib/nvidia-pubkeys or /usr/share/nvidia-pubkeys and delete everything not present there or delete all NVIDIA certificates and then import those currently present on your system.
This assumes that only certificates for the currently installed packages are present. If not you can check what certificate was used to sign kernel modules are leave it deleting others.
If you have questions how to do it, you better start with showing the actual content of this directory (whatever you have, it did change at some point).
Always use preformatted text to post computer output. Otherwise post becomes barely readable.
Anyway, you tagged your topic with 15.6, but I do not see any key for 15.6 packages. Which means you likely can safely remove all keys there. Did you check /usr/share/nvidia-pubkeys?
I checked /var/lib/nvidia-pubkeys but didn’t realise that there could be files in /usr/share/nvidia-pubkeys as well. The 15.6 entry is there - apologies for not checking before.