On 08. 06. 23, 8:59, Jiri Slaby wrote:
On 08. 06. 23, 7:13, Andrei Borzenkov wrote:
On 08.06.2023 07:54, joeyli via openSUSE Factory wrote:
As you see, the kernel module verification will be enabled. So please sign your self-built kernel module.
mokutil --sb-state | grep -q "SecureBoot enabled" if [ $? -eq 0 ]; then privkey=$(mktemp /tmp/MOK.priv.XXXXXX) pubkeydir=/var/lib/nvidia-pubkeys pubkey=$pubkeydir/MOK-nvidia-driver-G06-525.116.04-8.1-$flavor.der
Should not NVIDIA (and any other external module) always generate and enroll certificate? IMO yes, the same as the kernel.
Like this:
is_efi () { local msg rc=0
# The below statement fails if mokutil isn't installed or UEFI is unsupported. # It doesn't fail if UEFI is available but secure boot is off. msg="$(mokutil --sb-state 2>&1)" || rc=$?
[ -z "$KERNEL_PACKAGE_SCRIPT_DEBUG" ] || echo "$msg"
return $rc }
if ! is_efi; then [ -z "$KERNEL_PACKAGE_SCRIPT_DEBUG" ] || \ echo "$0: system doesn't support UEFI, skipping certificate handling" >&2 exit 0 fi
-- js suse labs