I reinstalled tumbleweed from a PC with an nvidia gpu. Since the computer is relatively new, it’s the first time I have to deal with the drivers and MOK. The question I have comes from the fact that wnen I installed the nvidia drivers, after rebooting to enroll the keys so the drivers work, the MOK screen didn’t appear. I ran mokutil --list-enrolled, and the key was already there. So I had the key already enrolled from my previous tumbleweed install. I researched a bit more this time in another PC which has mint and did the same but before reinstalling i ran mokutil --reset and learned that the mok password you create also survives after reinstalling the distro. Where is all that stored (keys and password)? If it isn’t the hard drive
The MOK keys and data are stored in NVRAM. That stands for “non-volatile RAM”. It is typically a physical device, something like flash memory, that is built into your computer and maintained by your BIOS (or UEFI firmware). There is an interface which allows your operating system to access NVRAM.
And no, it isn’t the hard drive.
1 Like
Thanks for the reply. So enrolling a key is only done once no matter how many times you reinstall the distro unless you reset the keys and the same for the password you set for enrolling the keys. NVRAM also stores the uefi boot entries as well I suppose.
You did not explain how you installed NVIDIA drivers or where they come from. If you used packages built by SUSE and available via NVIDIA - while the NVIDIA driver certificate from the previous install remained in the NVRAM, this certificate cannot be used. NVIDIA package always generates new random private/public key pair during installation and wipes out private key after driver was signed. So this private key is not available after package was installed and cannot be reused for the new installation even if you did not reinstall operating system itself.
Again it is quite unclear what you mean. There is no such thing as “mok password”. There is password that is attached to the enrollment request and used by MokManager to verify that the person answering questions on boot is the same as the person who submitted this enrollment request. Enrollment request is one time only - shim will delete it whether it has been acted upon or not. So there is nothing to “survive”.
If you mean that enrollment request created in one operating system will be visible when you boot shim from another operating system - that’s correct.