Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nvidia problem #221

Open
jyash8 opened this issue May 26, 2023 · 4 comments
Open

Nvidia problem #221

jyash8 opened this issue May 26, 2023 · 4 comments

Comments

@jyash8
Copy link

jyash8 commented May 26, 2023

I have seen many places, pc with nvidia drivers fail to boot.
Do something different needs needs to done for it or will it out of the box?
Also how to disable checks for kernel modules.
@critkitten
Copy link

critkitten commented Jun 1, 2023
edited

As far as I understand sbctl does not support signing of kernel modules.
If you want to know more checkout #85

To disable signature check of kernel module you can set the following kernel cmdline:
module.sig_enforce=0
But Secureboot usually means that lockdown=confidentiality is on which in turn means module signature also.

Under archlinux I have not been able to run secureboot with an Nvidia card. Under Debian it works because only mok is used there and the kernel are official signed archlinux not.
The difference between mok and sbctl you can read in the above linked article. I did not understand it until today. But you can´t use both.

Perhaps someone can clarify this in a short sentence.

@jyash8
Copy link
Author

jyash8 commented Jun 2, 2023

As far as I know nvidia kernel module has been open sourced so if the kernel module could be embedded in kernel and then made unified kernel image and signed would it then work

@IPlayZed
Copy link

Under archlinux I have not been able to run secureboot with an Nvidia card. Under Debian it works because only mok is used there and the kernel are official signed archlinux not.

This is interesting, I had no such problem. I think the kernel is not built with lockdown enabled, so unless you specify lockdown=confidentiality and add lockdown to lsm=..., there is no reason why it should force itself. When I had an Nvidia card, I could do it easily.

lockdown forces module.sig_enforce=0 AFAIK.

The difference between mok and sbctl you can read in the above linked article. I did not understand it until today. But you can´t use both.

Why not? Sign the shim, boot the shim, which launches the MOK process of validating stuff.
This page explaining it simply.

@IPlayZed
Copy link

As far as I know nvidia kernel module has been open sourced so if the kernel module could be embedded in kernel and then made unified kernel image and signed would it then work

That is not really the case, again the question if it signed by the same key as the one used to sign the kernel. If you build your own kernel, sign the kernel module with that, it will not be rejected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@IPlayZed @critkitten @jyash8