I’m facing a strange issue: when I install nvidia G05, as recommended by the nvidia website for my GTX 1070 Ti graphics card, the system freezes on boot and never asks me to enroll the keys. The only fix here is to rollback to the previous working version without nvidia installed. Some years ago, I had the nvidia drivers installed on this machine with OpenSuse Tumbleweed, but stopped upgrading it because I wasn’t doing any 3D stuff and maintaining nvidia was more hassle than it was worth. Now, I would like 3D acceleration again for a new project.
When I try to enroll a dummy key, it will report and error: “Failed to enroll new keys”. I also cannot set the verbosity of the
# mokutil --set-verbosity true Failed to set SHIM_VERBOSE
But mokutils almost looks like it’s working:
# mokutil --sb-state SecureBoot enabled # mokutil --root-pw --import /etc/uefi/certs/4659838C-shim.crt SKIP: /etc/uefi/certs/4659838C-shim.crt is already enrolled # mokutil --root-pw --import /etc/uefi/certs/1F673297.crt Already in kernel trusted keyring. Skip /etc/uefi/certs/1F673297.crt
In I can't change the Secure Boot mode to enabled "Failed to delete Secure Boot state" · Issue #45 · lcp/mokutil · GitHub, the author of mokutil recommends checking the hex of some stuff, and from what I understand, it is set correctly:
# hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c 00000000 06 00 00 00 00 |.....| 00000005 localhost:/home/cbr # hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c 00000000 06 00 00 00 01 |.....| 00000005
I generated a “dummy” key using:
# openssl req -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "mok.priv" -out "mok.der"
I got this idea from https://docs.nvidia.com/networking/display/BlueFieldDPUOSLatest/UEFI+Secure+Boot, section “Generation of Custom Keys and Certificates”.
That key fails to enroll however:
# mokutil --import mok.der --root-pw Failed to enroll new keys
Any idea what could be going on here?