I have a headless server in a datacenter for GPU workloads that’s running MicroOS with UEFI and Secure Boot enabled. It contains a Quadro P2000, so I installed the NVIDIA drivers following the directions for the G06 on SDB:NVIDIA_drivers. Everything seems to go well, I reboot at the end and manually use the attached interface to enroll the new MOK key. But when the system comes up after the enrollment, the nvidia
driver can’t be loaded because it fails the signature check:
modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
As I understand it, with Secure Boot enabled, the Lockdown kernel module requires all driver modules to be signed by a key enrolled in the MOK. The nvidia-driver-G06-kmp-default
package includes a %post
scriptlet for enrolling an included MOK public key as part of the installation of the drivers, though it requires physical presence at the machine on the subsequent boot to manually enroll the key. Once enrolled however, drivers signed by the associated private key should pass inspection and be loadable.
What I’m getting however when I run sudo modprobe nvidia
after successful MOK enrollment is:
modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
This would seem to suggest that either the MOK key wasn’t enrolled, or the signature on the NVIDIA driver mismatches the key(s) that were enrolled.
I’ve tried transactional-update shell
, force re-installing the nvidia-driver-G06-kmp-default
in the shell, explicitly running the mokutil --root-pw --import
on all the certificates in /var/lib/nvidia-publickeys/
, exiting the shell, rebooting, and accepting the MOK enrollment, but get the same result. When I try to repeat it, I’m just getting a reply during mok --import
that the certificates are already enrolled in the MOK. That pretty conclusively eliminates the possibility that keys aren’t in the MOK.
So it seems the OpenSUSE prebuilt G06 NVIDIA drivers are signed with the wrong keys? Or is there something else I can check?
Possibly related is the fact that the MicroOS immutable mounting seems to be incorrectly designed. I get this error if I run transactional-update pkg install -f nvidia-driver-G06-kmp-default
:
Warning: The following files were changed in the snapshot, but are shadowed by
other mounts and will not be visible to the system:
/.snapshots/20/snapshot/var/lib/nvidia-pubkeys/MOK-nvidia-driver-G06-535.104.05-11.1-default.der
And the /var/lib/nvidia-pubkeys
folder doesn’t exist in the system on the next boot. It seems that the /var/lib
exposed for the transactional-update
isn’t the same one that is made available at run-time, so there’s at least some things that are missing from the running system. I’m not sure if it actually affects this issue since the MOK keys are enrolled in separate storage, but it doesn’t speak highly of the package correctness.