-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure Boot key signing #53
Comments
I guess @MrDuartePT knows this better! |
@Reaversword Well i dont know what distro you are using but i recommed using sbctl is a easy process and allow to use the Microsoft key to be possible to use discrete mode with secure boot enable on linux (if you remove microsoft key you get black screen in discrete mode and in hybrid the nvidia module dosent load on boot [i know that because i try to use custom keys one time]) the guide i will post helps just install sbctl on your distro |
Do you mean that proprietary/nouveau just won't work at all in hybrid without those M$ keys? I thought that the arch wiki warning was mostly for some old laptops with broken BIOSes. Regarding nvidia is there some error that complaints about it or it just some generic error or smth? |
If you remove the microsoft keys and activate secure boot you will get a black screen if you boot in discrete mode and in hybrid mode the nvidia/nouveau modules will load but the card cant be used. The problem is how nvidia vbios is sign on laptop and because lenovo legion laptop dont have optirom in the tpm you need to use the microsoft keys This issues on sbctl project can help you understand: edit: on other word you can brick or laptop on discrete and need the blind bios method to go back to hybrid. sbctl faq about Option Rom: https://github.com/Foxboron/sbctl/wiki/FAQ |
@pm4rcin @Reaversword @johnfanv2 in the latest bios Option Rom is working: |
@MrDuartePT that's great to hear. Could you tell which laptop model do you have? I also have read the links you've provided and some more and found one example of hard-brick because of buggy firmware. But it was thinkpad t14s gen 1 AMD so I guess it shouldn't be a problem but who knows... I'll probably try it sooner or later but first I need to figure out how to do that on Fedora Sericea since it uses Windows keys. Or rI'll return again to Arch or smth :D |
My laptop is a Legion 5 gen 6 AMD variant. |
Will this allow the preservation of secureboot keys after kernel updates? I heard that you need to manually recreate keys after every update (or something like that) and that sounds like a pain on arch |
I allways use the same keys and my system automatic sign the kernel file after building the initramfs |
Since this dosent have any activity for the past 1 month and the kernel module work with secure boot (at least on my setup using sbctl) I will close this issue. |
Hello!, first of all, thank you for create LenovoLegionLinux!!!
I'm trying to follow your guide, but no idea how to sign -whatever... file?- to get secure boot enabled and have everything working.
From here:
https://github.com/dell/dkms#secure-boot
"With the appropriate key material on the system, enroll the public key:"
What's "appropiate key material" of LLL? LenovoLegionLinux/kernel_module/legion-laptop.ko?. If I do: mokutil --import /LenovoLegionLinux/kernel_module/legion-laptop.ko
it tells to me:
Abort!!! legion-laptop.ko is not a valid x509 certificate in DER format
Sorry, I've never in my life signed anything, I have no idea what to do or what I need to sign or why if I use
<<mokutil --import /var/lib/dkms/mok.pub">> (with than end " and without it)
I don't receive any requesting for put a secure boot password.
I'm absolutely blind about this issue.
Anybody can point so lose people as myself in the right way?
The text was updated successfully, but these errors were encountered: