Adding X.509 certificate to UEFI secure boot database?
I have recently installed Fedora 20 on a custom desktop PC with a ASUS Z87-K motherboard. Given some commonly known bugs, I have installed the NVIDIA proprietary driver for my GeForce 630, and disabled the nouveau driver.
After completing correctly the driver installation, during which the module was signed with a newly generated key pair, a x.509 certificate was created and automatically placed in
/usr/share/nvidia/certificate.der.
However, from that moment, the computer is unable to boot with the UEFI secure boot option enabled. When switching to textmode and running nvidia-modprobe, I find that the NVIDIA proprietary module was not loaded.
When I disable Secure Boot in the UEFI menu the computer boots and runs smoothly with the installed driver.
To avoid the drawback of booting in an insecure mode, I would like to know where to place the x.509 certificate of the NVIDIA module in order for it to be recognized by the kernel so I don't have to turn off Secure Boot.
uefi nvidia-geforce secure-boot fedora-20
edited Mar 9 '16 at 14:36
Hennes
59.1k792141
asked Jul 26 '14 at 11:15
zmlzml
3616
add a comment |
I have recently installed Fedora 20 on a custom desktop PC with a ASUS Z87-K motherboard. Given some commonly known bugs, I have installed the NVIDIA proprietary driver for my GeForce 630, and disabled the nouveau driver.
After completing correctly the driver installation, during which the module was signed with a newly generated key pair, a x.509 certificate was created and automatically placed in
/usr/share/nvidia/certificate.der.
However, from that moment, the computer is unable to boot with the UEFI secure boot option enabled. When switching to textmode and running nvidia-modprobe, I find that the NVIDIA proprietary module was not loaded.
When I disable Secure Boot in the UEFI menu the computer boots and runs smoothly with the installed driver.
To avoid the drawback of booting in an insecure mode, I would like to know where to place the x.509 certificate of the NVIDIA module in order for it to be recognized by the kernel so I don't have to turn off Secure Boot.
uefi nvidia-geforce secure-boot fedora-20
edited Mar 9 '16 at 14:36
Hennes
59.1k792141
asked Jul 26 '14 at 11:15
zmlzml
3616
add a comment |
I have recently installed Fedora 20 on a custom desktop PC with a ASUS Z87-K motherboard. Given some commonly known bugs, I have installed the NVIDIA proprietary driver for my GeForce 630, and disabled the nouveau driver.
After completing correctly the driver installation, during which the module was signed with a newly generated key pair, a x.509 certificate was created and automatically placed in
/usr/share/nvidia/certificate.der.
However, from that moment, the computer is unable to boot with the UEFI secure boot option enabled. When switching to textmode and running nvidia-modprobe, I find that the NVIDIA proprietary module was not loaded.
When I disable Secure Boot in the UEFI menu the computer boots and runs smoothly with the installed driver.
To avoid the drawback of booting in an insecure mode, I would like to know where to place the x.509 certificate of the NVIDIA module in order for it to be recognized by the kernel so I don't have to turn off Secure Boot.
uefi nvidia-geforce secure-boot fedora-20
edited Mar 9 '16 at 14:36
Hennes
59.1k792141
asked Jul 26 '14 at 11:15
zmlzml
3616
I have recently installed Fedora 20 on a custom desktop PC with a ASUS Z87-K motherboard. Given some commonly known bugs, I have installed the NVIDIA proprietary driver for my GeForce 630, and disabled the nouveau driver.
After completing correctly the driver installation, during which the module was signed with a newly generated key pair, a x.509 certificate was created and automatically placed in
/usr/share/nvidia/certificate.der.
However, from that moment, the computer is unable to boot with the UEFI secure boot option enabled. When switching to textmode and running nvidia-modprobe, I find that the NVIDIA proprietary module was not loaded.
When I disable Secure Boot in the UEFI menu the computer boots and runs smoothly with the installed driver.
To avoid the drawback of booting in an insecure mode, I would like to know where to place the x.509 certificate of the NVIDIA module in order for it to be recognized by the kernel so I don't have to turn off Secure Boot.
uefi nvidia-geforce secure-boot fedora-20
uefi nvidia-geforce secure-boot fedora-20
edited Mar 9 '16 at 14:36
Hennes
59.1k792141
asked Jul 26 '14 at 11:15
zmlzml
3616
edited Mar 9 '16 at 14:36
Hennes
59.1k792141
asked Jul 26 '14 at 11:15
zmlzml
3616
edited Mar 9 '16 at 14:36
Hennes
59.1k792141
edited Mar 9 '16 at 14:36
Hennes
59.1k792141
edited Mar 9 '16 at 14:36
Hennes
59.1k792141
59.1k792141
asked Jul 26 '14 at 11:15
zmlzml
3616
asked Jul 26 '14 at 11:15
zmlzml
3616
asked Jul 26 '14 at 11:15
zmlzml
3616
3616
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
You should be able to load the certificate using MokManager.efi so that it's recognized by Shim, and therefore accepted by the kernel. I don't know if Fedora sets its GRUB up so that you can launch MokManager.efi yourself. If not, try booting (with Secure Boot disabled) a USB flash drive with an EFI shell or rEFInd. You should then be able to launch MokManager.efi and load the certificate file. (It will need to be stored on the same disk as the MokManager.efi utility -- probably /boot/efi from within Fedora.)
I'm pretty sure there's a way to add the certificate to the NVRAM from within Linux so that Shim will notice it and ask if it should be used the next time you reboot, but I don't know precisely what it is. Presumably it would involve writing the file to somewhere in the /sys/firmware/efi directory tree.
That said, I've never had to do this specific thing myself, since I don't use proprietary video drivers on any of my computers. It's conceivable there's some extra step you'll need to take.
answered Jul 26 '14 at 13:54
Rod SmithRod Smith
17.2k22043
Turns out you can use mokutil in the command line.
– Fabián Heredia Montiel
Sep 17 '14 at 12:03
add a comment |
You would want to use mokutil to enroll the key.
sudo mokutil --import <der file>
You can test if a key is enrolled with
mokutil --test-key <der file>
answered Sep 24 '14 at 12:44
Fabián Heredia MontielFabián Heredia Montiel
1281110
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f788401%2fadding-x-509-certificate-to-uefi-secure-boot-database%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You should be able to load the certificate using MokManager.efi so that it's recognized by Shim, and therefore accepted by the kernel. I don't know if Fedora sets its GRUB up so that you can launch MokManager.efi yourself. If not, try booting (with Secure Boot disabled) a USB flash drive with an EFI shell or rEFInd. You should then be able to launch MokManager.efi and load the certificate file. (It will need to be stored on the same disk as the MokManager.efi utility -- probably /boot/efi from within Fedora.)
I'm pretty sure there's a way to add the certificate to the NVRAM from within Linux so that Shim will notice it and ask if it should be used the next time you reboot, but I don't know precisely what it is. Presumably it would involve writing the file to somewhere in the /sys/firmware/efi directory tree.
That said, I've never had to do this specific thing myself, since I don't use proprietary video drivers on any of my computers. It's conceivable there's some extra step you'll need to take.
answered Jul 26 '14 at 13:54
Rod SmithRod Smith
17.2k22043
Turns out you can use mokutil in the command line.
– Fabián Heredia Montiel
Sep 17 '14 at 12:03
add a comment |
You should be able to load the certificate using MokManager.efi so that it's recognized by Shim, and therefore accepted by the kernel. I don't know if Fedora sets its GRUB up so that you can launch MokManager.efi yourself. If not, try booting (with Secure Boot disabled) a USB flash drive with an EFI shell or rEFInd. You should then be able to launch MokManager.efi and load the certificate file. (It will need to be stored on the same disk as the MokManager.efi utility -- probably /boot/efi from within Fedora.)
I'm pretty sure there's a way to add the certificate to the NVRAM from within Linux so that Shim will notice it and ask if it should be used the next time you reboot, but I don't know precisely what it is. Presumably it would involve writing the file to somewhere in the /sys/firmware/efi directory tree.
That said, I've never had to do this specific thing myself, since I don't use proprietary video drivers on any of my computers. It's conceivable there's some extra step you'll need to take.
answered Jul 26 '14 at 13:54
Rod SmithRod Smith
17.2k22043
Turns out you can use mokutil in the command line.
– Fabián Heredia Montiel
Sep 17 '14 at 12:03
add a comment |
You should be able to load the certificate using MokManager.efi so that it's recognized by Shim, and therefore accepted by the kernel. I don't know if Fedora sets its GRUB up so that you can launch MokManager.efi yourself. If not, try booting (with Secure Boot disabled) a USB flash drive with an EFI shell or rEFInd. You should then be able to launch MokManager.efi and load the certificate file. (It will need to be stored on the same disk as the MokManager.efi utility -- probably /boot/efi from within Fedora.)
I'm pretty sure there's a way to add the certificate to the NVRAM from within Linux so that Shim will notice it and ask if it should be used the next time you reboot, but I don't know precisely what it is. Presumably it would involve writing the file to somewhere in the /sys/firmware/efi directory tree.
That said, I've never had to do this specific thing myself, since I don't use proprietary video drivers on any of my computers. It's conceivable there's some extra step you'll need to take.
answered Jul 26 '14 at 13:54
Rod SmithRod Smith
17.2k22043
You should be able to load the certificate using MokManager.efi so that it's recognized by Shim, and therefore accepted by the kernel. I don't know if Fedora sets its GRUB up so that you can launch MokManager.efi yourself. If not, try booting (with Secure Boot disabled) a USB flash drive with an EFI shell or rEFInd. You should then be able to launch MokManager.efi and load the certificate file. (It will need to be stored on the same disk as the MokManager.efi utility -- probably /boot/efi from within Fedora.)
I'm pretty sure there's a way to add the certificate to the NVRAM from within Linux so that Shim will notice it and ask if it should be used the next time you reboot, but I don't know precisely what it is. Presumably it would involve writing the file to somewhere in the /sys/firmware/efi directory tree.
That said, I've never had to do this specific thing myself, since I don't use proprietary video drivers on any of my computers. It's conceivable there's some extra step you'll need to take.
answered Jul 26 '14 at 13:54
Rod SmithRod Smith
17.2k22043
answered Jul 26 '14 at 13:54
Rod SmithRod Smith
17.2k22043
answered Jul 26 '14 at 13:54
Rod SmithRod Smith
17.2k22043
answered Jul 26 '14 at 13:54
Rod SmithRod Smith
17.2k22043
17.2k22043
Turns out you can use mokutil in the command line.
– Fabián Heredia Montiel
Sep 17 '14 at 12:03
add a comment |
Turns out you can use mokutil in the command line.
– Fabián Heredia Montiel
Sep 17 '14 at 12:03
Turns out you can use mokutil in the command line.
– Fabián Heredia Montiel
Sep 17 '14 at 12:03
Turns out you can use mokutil in the command line.
– Fabián Heredia Montiel
Sep 17 '14 at 12:03
add a comment |
You would want to use mokutil to enroll the key.
sudo mokutil --import <der file>
You can test if a key is enrolled with
mokutil --test-key <der file>
answered Sep 24 '14 at 12:44
Fabián Heredia MontielFabián Heredia Montiel
1281110
add a comment |
You would want to use mokutil to enroll the key.
sudo mokutil --import <der file>
You can test if a key is enrolled with
mokutil --test-key <der file>
answered Sep 24 '14 at 12:44
Fabián Heredia MontielFabián Heredia Montiel
1281110
add a comment |
You would want to use mokutil to enroll the key.
sudo mokutil --import <der file>
You can test if a key is enrolled with
mokutil --test-key <der file>
answered Sep 24 '14 at 12:44
Fabián Heredia MontielFabián Heredia Montiel
1281110
You would want to use mokutil to enroll the key.
sudo mokutil --import <der file>
You can test if a key is enrolled with
mokutil --test-key <der file>
answered Sep 24 '14 at 12:44
Fabián Heredia MontielFabián Heredia Montiel
1281110
answered Sep 24 '14 at 12:44
Fabián Heredia MontielFabián Heredia Montiel
1281110
answered Sep 24 '14 at 12:44
Fabián Heredia MontielFabián Heredia Montiel
1281110
answered Sep 24 '14 at 12:44
Fabián Heredia MontielFabián Heredia Montiel
1281110
1281110
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f788401%2fadding-x-509-certificate-to-uefi-secure-boot-database%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
