Nvidia problem - Githubissues

Foxboron / sbctl

:computer: :lock: :key: Secure Boot key manager

MIT License

1.35k stars 71 forks source link

Nvidia problem #221

Open jyash8 opened 1 year ago

jyash8 commented 1 year ago

I have seen many places, pc with nvidia drivers fail to boot. Do something different needs needs to done for it or will it out of the box? Also how to disable checks for kernel modules.

critkitten commented 1 year ago

As far as I understand sbctl does not support signing of kernel modules. If you want to know more checkout https://github.com/Foxboron/sbctl/issues/85

To disable signature check of kernel module you can set the following kernel cmdline: module.sig_enforce=0 But Secureboot usually means that lockdown=confidentiality is on which in turn means module signature also.

Under archlinux I have not been able to run secureboot with an Nvidia card. Under Debian it works because only mok is used there and the kernel are official signed archlinux not. The difference between mok and sbctl you can read in the above linked article. I did not understand it until today. But you can´t use both.

Perhaps someone can clarify this in a short sentence.

jyash8 commented 1 year ago

As far as I know nvidia kernel module has been open sourced so if the kernel module could be embedded in kernel and then made unified kernel image and signed would it then work

IPlayZed commented 8 months ago

Under archlinux I have not been able to run secureboot with an Nvidia card. Under Debian it works because only mok is used there and the kernel are official signed archlinux not.

This is interesting, I had no such problem. I think the kernel is not built with lockdown enabled, so unless you specify lockdown=confidentiality and add lockdown to lsm=..., there is no reason why it should force itself. When I had an Nvidia card, I could do it easily.

lockdown forces module.sig_enforce=0 AFAIK.

The difference between mok and sbctl you can read in the above linked article. I did not understand it until today. But you can´t use both.

Why not? Sign the shim, boot the shim, which launches the MOK process of validating stuff. This page explaining it simply.

IPlayZed commented 8 months ago

As far as I know nvidia kernel module has been open sourced so if the kernel module could be embedded in kernel and then made unified kernel image and signed would it then work

That is not really the case, again the question if it signed by the same key as the one used to sign the kernel. If you build your own kernel, sign the kernel module with that, it will not be rejected.

IPlayZed commented 2 weeks ago

@jyash8 Do you mind closing the issue, if my answers were sufficient?