Comment # 65 on bug 1175626 from 
(In reply to John Shaw from comment #63)
> All are empty. I shut my machine off every night and reboot in the morning
> with SecureBoot disabled. Updates come through in that mode, so I wonder if
> they don't try to setup the certificates/keys.

This is how it's designed, yes. If the nvidia driver is installed with SB
disabled, it will not try to either generate or enroll any keys. You need to
uninstall the drivers, enable SB, reboot, and install them again.

> Although I can sometimes boot
> with SecureBoot (I tried again a couple of days ago), I cannot get the
> nVidia driver to be enrolled.

That makes no sense to me. With SB, a driver can't be sometimes loadable and
sometimes not. If the key hasn't been enrolled, it's not loadable, period.
Unless you are booting a Leap 15.1 kernel, that is.

>  This is not an option for me as I write
> Cuda-based codes.
> 
> I count not care less about having SecureBoot (why would anyone?), but I
> figured I would try to help debug this issue. The certificate file is
> available for the nvidia driver, so I can be imported with mokutil again.

Hm. If the driver was installed without SB as you wrote above, it wouldn't
generate a key. If there is still a key file around, it's likely from a
previous installed version of the driver and won't work with the current
drivers you have.

> This may force MOK to pause and let me enroll it. If there is nothing to
> enroll, what is MOK Manager supposed to do on a boot? Is its supposed to: a)
> do nothing and pass control to grub; b) flash MOC screen and move on; or c)
> show MOC screen and wait a few seconds?

It's a). Otherwise we'd see the mok screen on every boot.

(In reply to John Shaw from comment #64)
> I imported the nVidia certificate for the latest driver, so it shows up in
> with --list-new. This should force MOK manager to attempt to enroll it. If I
> boot with SecureBoot enabled, it hangs BUT the first time I tried I had a
> mostly black screen, with green "noise" along the top. This was the first
> time I saw this phenomena, and it looks like the video driver (?) crashes
> when trying to display the MOK screen. Repeating the boot resulted in a pure
> black screen, so I guess the green noise is a random thing.

At the time MokManager is running, the EFI environment of your BIOS is
responsible to display the screen. It could be that this fails. MokManager uses 
EFI calls to switch the console to *from graphics to text mode*, actually;
perhaps your EFI BIOS has an issue with text mode? It wouldn't be the first
BIOS that fails at simple text mode. Whatever goes wrong here, I don't see how
it could be related to the fact that you installed the Linux nvidia drivers and
enrolled a certificate for them.

https://github.com/rhboot/shim/blob/master/lib/console.c
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf (�12)

If you have that black/green screen, you don't know what's going on of course.
Normally Mokmanager would wait for a key press for some time, then continue
normal boot without enrolling anything. But it deletes any certs in MokNew
IIRC, even if they weren't enrolled, so it's normal behavior that at subsequent
boots the MokManager screen wouldn't show up again.

> My machine has two nVidia cards in it. A GTX 950 drives two monitors, and a
> Quadro GV100 is used for Cuda development. This is not "normal" for a home
> computer (the GV100 costs ~$8.5k).

Both cards using the same driver?

> This may be the difference causing the
> problem, but I cannot imaging why, as the BIOS display clearly has no
> problem with it and it has nothing to do with nVidia drivers. Maybe the way
> MOK Manager writes or initializes the display has an issue if multiple
> graphics cards are present. If this is the case, maybe this is not worth
> pursuing at your end.

If it's no big hassle for you, you might try if the problem goes away if you
remove or disable the GV100 card.

> Anyway, if I then boot with SecureBoot disabled, MOK Manager comes up, but
> it does not offer to enroll anything (ie, the nVidia certificate).

Probably the cert has been removed from MokNew by that time. (Does mokutil
--list-new still show them?).

>  I can
> continue, reset MOK, or import (?) keys or hashes for files. In either of
> the last two cases, I cannot get to the certificate file (.der) for the
> nVidia driver, but I can navigate the UEFI directory. I guess I could try to
> import hashes for some of the \efi\opensuse\*.bin files.

You could try copying the nvidia .der files to some path below \EFI aka
/boot/efi/EFI. (doesn't have to be \EFI\opensuse).

>  Presumably I need
> at least shim.efi,   grubx64.efi, and MokManager.efi. Anything else? Clearly
> none of this matters with SecureBoot disabled.

No certificates should be needed for any of these. shim is signed by Microsoft,
and has built-in certificates for verifying the further steps in the openSUSE
boot chain.

You are receiving this mail because: