This is a tracking bug for Change: Nvidia Driver Installation with Secure Boot Support For more details, see: https://fedoraproject.org/wiki/Changes/NvidiaInstallationWithSecureboot Nvidia Drivers have been removed from GNOME Software because it didn't support Secure Boot which is increasingly often enabled. This change brings the option back for Fedora Workstation users with Secure Boot supported. If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Hi Milan, could you provide a status update on this change please? Changes need to be code complete before we enter beta freeze next Tuesday 27th August. Are you still on track to land this in F41, or do you need to defer to F42? Thanks, Aoife
The change had been approved upstream and landed in the code base few weeks ago. It's part of the gnome-software 47~beta, which is currently in the Fedora rawhide since the beginning of the August, thus I believe everything is set. I'm sorry I did not write an update earlier. In fact, I did not know I should. My fault.
NO fault nor blame necessary Milan! Thank you for the quick reply and the update, Ill move the bug state to ON_QA and thanks again :)
I tested installing the nvidia modules. It worked great, except that the nodules got compiled before the module keys were generated. Thefore the new nvidia modules were not signed and can't be loaded on a system when secure boot is enabled. To verify that the modules were signed or not I use the command modinfo nvidia and look for the signature information. As the system was running in a VM I can't verify if I can install the nvidia module without the nvidia hardware.
(In reply to Villy Kruse from comment #4) > It worked great, except that the nodules got compiled before the module keys were generated. Thank you for the feedback. It's some time I worked on this, thus I might be wrong, but are you sure of that, please? From what I recall: 1) the user asks to install the NVIDIA driver in the gnome-software 2) the gnome-software generates a new (local) machine key, if needed, and asks the user to reboot, to install this key into the shim 3) when the user installs the key during the boot process, the key is set to be used for local modules rebuild 4) the boot continues and it also re-compiles the NVIDIA modules, using that just installed key. In other words, the key is created before the (re-)boot, and before the recompile of the modules. The only broken part would be if there was picked a different existing key for the module recompilation, instead of the one generated by the gnome-software, but then the key, if used for the local module rebuild, should be recognized by the gnome-software and no new key should be generated. What files are saved in the /etc/pki/akmods/certs/ directory, please? What is the Fedora, gnome-software and mokutil version, please?
(In reply to Milan Crha from comment #5) > (In reply to Villy Kruse from comment #4) > > It worked great, except that the nodules got compiled before the module keys were generated. > > Thank you for the feedback. It's some time I worked on this, thus I might be > wrong, but are you sure of that, please? From what I recall: > > 1) the user asks to install the NVIDIA driver in the gnome-software > 2) the gnome-software generates a new (local) machine key, if needed, and > asks the user to reboot, to install this key into the shim > 3) when the user installs the key during the boot process, the key is set to > be used for local modules rebuild > 4) the boot continues and it also re-compiles the NVIDIA modules, using that > just installed key. > > In other words, the key is created before the (re-)boot, and before the > recompile of the modules. > > The only broken part would be if there was picked a different existing key > for the module recompilation, instead of the one generated by the > gnome-software, but then the key, if used for the local module rebuild, > should be recognized by the gnome-software and no new key should be > generated. > > What files are saved in the /etc/pki/akmods/certs/ directory, please? > > What is the Fedora, gnome-software and mokutil version, please? Actually, recompiling the modules occurs during step 1 called from toe post-transaction script of akmod-nvidia. No re-compilation of the modules occurs in step 4. I will upload 4 files to answer the other questions. Notice the time stamps.
Created attachment 2083712 [details] Result of running "dnf4 history info" All the modules were installed at 10:07:34
Created attachment 2083713 [details] List of all the files in /etc/pki/akmods All files were stored at 10:10
Created attachment 2083714 [details] Result of running "modinfo nvidia" Notice the absence of signing key information.
Created attachment 2083715 [details] Verbose list of enroled mok keys. Notice the generation time stamp is 08:10:50 UTC = 10:10:50 local time
Hmm, that's odd. As far as I know, the akmods uses `/etc/pki/akmods/certs/public_key.der`. The gnome-software also checks whether it's installed in the Shim (enrolled in the secure boot). The two enrolled keys are as expected. One is from Fedora itself, another is the local key, which is the `/etc/pki/akmods/certs/public_key.der`. The same key is supposed to be used for the signing of the drivers.