Secure boot and Nvidia/BBswitch

Hello,
I used to be quite active in the community and I’ve been quite busy with other things. I used to know how to do this but I completely forgot.

I messed up my Nvidia/bumblebee installation and forgot to install MOK ID in process, now the bbswitch only loads if secure boot is disabled.

Can someone explain to me how to sign DRMs and currently kernel to work with secure boot enabled?

Where it comes from?

how to sign DRMs

What is DRM?

Anyway. Assuming bbswitch that is part of openSUSE Leap 15.4 - it is signed by key /etc/uefi/certs/BDD31A9E-kmp.crt but apparently this key is not automatically enrolled on KMP installation. To enroll it manually

mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt --root-pw

reboot and agree to enroll certificate providing your root password when requested.

The first part, it somehow doesn’t load bbswitch unless the secure boot is off. I was doing some testing, it may have been because many things went wrong in the installation. DRM = Digital Rights Management, another way I call Nvidia certificate .

The last part, You are right, that specific KMP certification was not enrolled and I did and my bbswitch was consistently loading but producing inconsistent results. I am going to go around from scratch again.

This is the clue to secureboot locking out NVIDIA key

Jun 10 21:05:37 SJLPHI-Solid bumblebeed[2988]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service 
Jun 10 21:05:37 SJLPHI-Solid bumblebeed[742]:   252.456785] [ERROR]Module nvidia could not be loaded (timeout?) 
Jun 10 21:05:37 SJLPHI-Solid bumblebeed[742]:   252.456795] [ERROR]Could not load GPU driver



I was able to sign the already loaded Nvidia module using the methods seen here https://gist.github.com/grenade/e3c33e6ad4a0da901aa06a7eb4001a73

generate a new signing keypair:

openssl req -new -x509 -newkey rsa:4096 -keyout ~/.ssh/nvidia-module-private.key -outform DER -out ~/.ssh/nvidia-module-public.key -nodes -days 3650 -subj “/CN=nvidia-kernel-module”

enroll the generated public key in the mok list (see: https://docs.fedoraproject.org/en-US/Fedora/26/html/System_Administrators_Guide/sect-enrolling-public-key-on-target-system.html)

sudo mokutil --import ~/.ssh/nvidia-module-public.key

rebootbut I still do not have a consistent result.