How to use mokutil in immutable distro like #Aeon correctly (e.g. for nvidia drivers after missing the bootscreen)

treasuremaster · February 9, 2024, 6:28pm

I am running Aeon on a laptop with nvidia drivers. Everything worked fine until i missed the mok screen on bootup.
Since then 3d acceleration is no more.

I tried a few thinks to get the screen to import the key back. All attemps without success.

sudo transactional-update shell got me inside and i tried mokutil --import /var/lib/nvidia-pubkeys/MOK-nvidia-driver-G0<X>-<driver_version>-<kernel_flavor>.der --root-pw like in SDB closed with exit and sudo reboot now
next inside the transactional-update shell i tried mokutil --revoke-import
I tried to roll back and update again
I tried some variants of sudo transactional-update -i mokutil import ...
I tried mokutil --disable-validation in the “normal” terminal and in the transactional-update shell - with and without sudo
Finally to have some success I just updated my BIOS → that worked for the BIOS but not for the nvidia-driver

What is the intended way in opensuse Aeon to import the mok key, after it has been missed on start up?

Sauerland · February 9, 2024, 7:10pm

Also here as in the German subforum:
please show the complete input line incl. the complete output of the command.

Also use Code-Tags:

Code-Tags

nrickert · February 9, 2024, 7:11pm

As far as I know, you should be able to just use

mokutil --root-key --import PATH-TO-KEY

as the root user. It should not require a transactional-update shell because you are not writing to the root file system. But you still need to watch for the blue screen on the next boot to complete the operation.

Sauerland · February 9, 2024, 7:12pm

Maybe this one:
https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot

Scroll a littel bit down.

treasuremaster · February 9, 2024, 9:33pm

thanks for the quick replies. I have the problem, that the pass-to-the-key is only reachable in the transactional-update shell. Have a look:

user@computer:~> ls /var/lib/
AccountsService  create-dirs-from-rpmdb  lastlog                rollback    udisks2
alternatives     dbus                    lldpad                 rpm         upower
bluetooth        empty                   misc                   samba       wtmpdb
boltd            flatpak                 NetworkManager         selinux     xdm
btrfs            fwupd                   nobody                 sgml        xkb
ca-certificates  gdm                     os-prober              srvGeoClue  YaST2
chrony           hardware                overlay                sshd        zypp
cni              hp                      polkit                 sudo
colord           iscsi                   power-profiles-daemon  systemd
containers       kdump                   private                tlp
user@computer:~> sudo transactional-update shell
[sudo] Passwort für user: 
Checking for newer version.
transactional-update 4.5.0 started
Options: shell
Separate /var detected.
2024-02-09 22:27:05 tukit 4.5.0 started
2024-02-09 22:27:05 Options: -c110 open 
2024-02-09 22:27:05 Using snapshot 110 as base for new snapshot 111.
2024-02-09 22:27:05 /var/lib/overlay/110/etc
2024-02-09 22:27:05 Syncing /etc of previous snapshot 109 as base into new snapshot "/.snapshots/111/snapshot"
2024-02-09 22:27:05 SELinux is enabled.
ID: 111
2024-02-09 22:27:07 Transaction completed.
Opening chroot in snapshot 111, continue with 'exit'
2024-02-09 22:27:07 tukit 4.5.0 started
2024-02-09 22:27:07 Options: call 111 bash 
2024-02-09 22:27:08 Executing `bash`:
transactional update # ls /var/lib/nvidia-pubkeys/
MOK-nvidia-driver-G06-525.116.04-8.1-default.der
MOK-nvidia-driver-G06-535.104.05-11.1-default.der
MOK-nvidia-driver-G06-535.54.03-10.1-default.der
MOK-nvidia-driver-G06-535.54.03-10.13-default.der
MOK-nvidia-driver-G06-535.86.05-10.1-default.der
MOK-nvidia-driver-G06-545.29.06-18.1-default.der
transactional update #

treasuremaster · February 9, 2024, 9:36pm

unfortunately this one is not working, as i tried to show in my first point of the original post. This is exactly the page where i found the command i entered.

treasuremaster · February 9, 2024, 9:56pm

The following does not give any message and a reboot is also not showing the mok screen again.

user@cmputer:~> sudo mokutil --revoke-import
[sudo] Passwort für user: 
user@computer:~>

same as

user@computer:~> mokutil --revoke-import
user@computer:~>

sfalken · February 9, 2024, 10:04pm

The only possible way for the path /var/lib/nvidia-pubkeys to exist within transactional-update shell but not in your your regular host shell filesystem, is if you installed the nvidia drivers, and then didn’t reboot before looking.

Assuming you’re booted into Snapshot #1 (S1, for brevity)
You run sudo transactional-update pkg in nvidia-*

Transactional-update then snapshots S1, creating S2.

When transactional-update completes it’s task successfully, you then must reboot the system, and it will boot you into S2.

The filesystem in S1 has no idea what’s going on in S2, because it can’t even see it.

You need to reboot after a transactional-update operation, in order for the changes to take effect.

And don’t use transactional-update shell
But that’s a completely seperate issue.

treasuremaster · February 9, 2024, 10:17pm

I do not remember if i did not reboot properly after installing the driver. But let us assume i did not. Is there a way to fix this?

Maybe uninstalling the nvidia driver, rebooting and installing and rebooting?

→ “And don’t use transactional-update shell” → well noted

sfalken · February 9, 2024, 11:24pm

If you did not reboot, just simply run your sudo transactional-update pkg in packagename command again, it will re-snapshot S1 and create a new snapshot, then reboot when the install completes.

Nothing that happens during a “transaction” affects the running system, or the filesystem, until you reboot.

treasuremaster · February 11, 2024, 1:38pm

In my output updstairs, when entering the transactional shell it says:

Can anyone explain why this is, how to synchronise it or is it normal? Still I have the different /var/lib folders.

(besides I ran the package (re)install again without any change. The MOK Screen even appeared, but it did not work to entroll the key)

- user@computer:~> sudo transactional-update -i pkg rm nvidia-driver-G06-kmp-default nvidia-video-G06 nvidia-gl-G06 nvidia-compute-G06
  [sudo] Passwort für user:      
  Checking for newer version.  
  transactional-update 4.5.0 started  
  Options: -i pkg rm nvidia-driver-G06-kmp-default nvidia-video-G06 nvidia-gl-G06 nvidia-compute-G06  
  Separate /var detected.  
  2024-02-09 23:43:01 tukit 4.5.0 started  
  2024-02-09 23:43:01 Options: -c111 open   
  2024-02-09 23:43:01 Using snapshot 111 as base for new snapshot 112.  
  2024-02-09 23:43:01 /var/lib/overlay/111/etc  
  2024-02-09 23:43:01 Syncing /etc of previous snapshot 110 as base into new snapshot "/.snapshots/112/snapshot"  
  2024-02-09 23:43:01 SELinux is enabled.  
  ID: 112  
  2024-02-09 23:43:03 Transaction completed.  
  Calling zypper remove  
  2024-02-09 23:43:04 tukit 4.5.0 started  
  2024-02-09 23:43:04 Options: callext 112 zypper -R {} remove nvidia-driver-G06-kmp-default nvidia-video-G06 nvidia-gl-G06 nvidia-compute-G06   
  2024-02-09 23:43:05 Executing `zypper -R /tmp/transactional-update-AMGjwm remove nvidia-driver-G06-kmp-default nvidia-video-G06 nvidia-gl-G06 nvidia-compute-G06`:  
  Reading installed packages...  
  Resolving package dependencies...  
- The following 4 packages are going to be REMOVED:
  nvidia-compute-G06 nvidia-driver-G06-kmp-default nvidia-gl-G06 nvidia-video-G06  
- 4 packages to remove.
  After the operation, 764.2 MiB will be freed.  
  Continue? [y/n/v/...? shows all options] (y): y  
  (1/4) Removing nvidia-gl-G06-545.29.06-18.1.x86_64 [..  
  Removed "/etc/systemd/system/multi-user.target.wants/prime-select.service".  
  prime-select: service disabled. Remember prime-select needs this service to work correctly.  
  Use prime-select service restore to enable service again   
  Failed to create stream fd: No such file or directory  
  .done]  
  (2/4) Removing nvidia-video-G06-545.29.06-18.1.x86_64 [..done]  
  (3/4) Removing nvidia-compute-G06-545.29.06-18.1.x86_64 [...done]  
  (4/4) Removing nvidia-driver-G06-kmp-default-545.29.06_k6.6.2_1-18.1.x86_64 [..  
  SKIP: /var/lib/nvidia-pubkeys/MOK-nvidia-driver-G06-545.29.06-18.1-default.der is not in MokList  
  warning: /usr/lib/modprobe.d/50-nvidia-default.conf saved as /usr/lib/modprobe.d/50-nvidia-default.conf.rpmsave  
  warning: /usr/lib/dracut/dracut.conf.d/60-nvidia-default.conf saved as /usr/lib/dracut/dracut.conf.d/60-nvidia-default.conf.rpmsave  
  update-alternatives: warning: alternative /usr/lib/nvidia/alternate-install-present-default (part of link group alternate-install-present) doesn't exist; removing from list of alternatives  
  update-alternatives: warning: /etc/alternatives/alternate-install-present is dangling; it will be updated with best choice  
  .done]  
  2024-02-09 23:43:22 Application returned with exit status 0.  
  2024-02-09 23:43:22 Transaction completed.  
  Trying to rebuild kdump initrd  
  2024-02-09 23:43:23 tukit 4.5.0 started  
  2024-02-09 23:43:23 Options: close 112   
  2024-02-09 23:43:24 New default snapshot is #112 (/.snapshots/112/snapshot).  
  2024-02-09 23:43:24 Transaction completed.  
- Please reboot your machine to activate the changes and avoid data loss.
  New default snapshot is #112 (/.snapshots/112/snapshot).  
  transactional-update finished

I just tried some things. I copied the key to the boot directory to try importing it via BIOS. (But this seems not as easy as intended.) At least i could see the key without being in the transactional-update shell.

user@computer:~> sudo mokutil --import /boot/MOK-nvidia-driver-G06-545.29.06-18.1-default.der 
[sudo] Passwort für user: 
input password: 
input password again: 
Failed to enroll new keys
user@computer:~> sudo mokutil --test-key /boot/MOK-nvidia-driver-G06-545.29.06-18.1-default.der 
/boot/MOK-nvidia-driver-G06-545.29.06-18.1-default.der is not enrolled

arvidjaar · February 11, 2024, 2:20pm

This means mokutil failed to create EFI variable with enrollment request. Are you on EFI in the first place? Is /sys/firmware/efi/efivars mounted? Any errors in kernel log (dmesg output) when run this command?

treasuremaster · February 11, 2024, 3:01pm

Am I on EFI? I think so. I can find a few entries in efivars, when I ls the directory. Few entries of dmesg are red. Mostly about the ACPI and Bluetooth. The whole output is too long to post it here.
What am I looking for?

arvidjaar · February 11, 2024, 3:29pm

Upload to https://paste.opensuse.org/, post link here.

treasuremaster · February 11, 2024, 3:51pm

output from dmsg followed by ls efivars

arvidjaar · February 11, 2024, 3:56pm

Is it after running mokutil?

Run as root

strace -f -o /tmp/mokutil.out mokutil --import /boot/MOK-nvidia-driver-G06-545.29.06-18.1-default.der

and provide the file /tmp/mokutil.out.

It is possible that strace is not installed by default on MicroOS.

treasuremaster · February 11, 2024, 4:25pm

I did not run mokutil directly before dmesg. Does this make a difference?

Strace is not installed. So i had no choice but to install it via transactional-update (and reboot). But then I got this output:

user@computer:~> sudo strace -f -o /tmp/mokutil.out mokutil --import /boot/MOK-nvidia-driver-G06-545.29.06-18.1-default.der
[sudo] Passwort für user: 
strace: Can't fopen '/tmp/mokutil.out': Permission denied

arvidjaar · February 11, 2024, 4:42pm

Run

setenforce 0

Does mokutil --import work now?

treasuremaster · February 11, 2024, 4:50pm

sudo mokutil --import /boot/MOK-nvidia-driver-G06-545.29.06-18.1-default.der

is still not working.

How exactly do I use setenforce 0?

treasuremaster · February 11, 2024, 4:55pm

I copied the file from /tmp to my home directory