Results 1 to 6 of 6

Thread: Secure boot with nVIDIA?

  1. #1
    Join Date
    Nov 2018
    Beans
    13

    Secure boot with nVIDIA?

    I have a dual boot laptop with Ubuntu 21.04 and Windows 10.
    Secure boot is disabled in the BIOS.
    I use the nVIDIA proprietary drivers and Intel graphics are disabled in the BIOS (discrete graphics).
    But when Windows 11 comes, secure boot should be enabled.
    What should I do to prepare for this moment?
    Is there somewhere a clear howto for enabling secure boot on an already installed Ubuntu before this is done in the BIOS?

  2. #2
    Join Date
    Jan 2006
    Location
    Sunny Southend-on-Sea
    Beans
    8,414
    Distro
    Kubuntu 20.04 Focal Fossa

    Re: Secure boot with nVIDIA?

    Quote Originally Posted by bert.ram.aerts View Post
    Is there somewhere a clear howto for enabling secure boot on an already installed Ubuntu before this is done in the BIOS?
    Probably. The term to look for is "enrolling a Machine-Owners' Key" or MOK.

    The principle is that Secure Boot will only allow things to run if they've been signed by someone the UEFI trusts. Your UEFI trusts Microsoft. Since Ubuntu's stuff is signed using Microsoft's key, your UEFI also trusts Ubuntu. It doesn't trust Nvidia, since their stuff isn't signed. So you sign it yourself, as the owner of the machine, and tell the UEFI to trust your key.

  3. #3
    Join Date
    Jun 2009
    Location
    SW Forida
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Secure boot with nVIDIA?

    I currently do not use Secure Boot, nor plan to in near future unless major issues.
    I also will not be dual booting Windows 11.

    More info on Secure boot.
    https://wiki.ubuntu.com/UEFI/SecureBoot
    man mokutil


    UEFI boot install & repair info - Regularly Updated :
    https://ubuntuforums.org/showthread.php?t=2147295
    Please use Thread Tools above first post to change to [Solved] when/if answered completely.

  4. #4
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Secure boot with nVIDIA?

    NVidia "is not" a factor, in any way related to SecureBoot. Nvidia is "Graphics", not an Operating System. There is a difference in digitally signed "packages", which would relate to APT trusting if a package is trusted, before installing it... Or a BIOS trusting a non-digitally signed OS Kernel.

    As for Windows 11... when the first preview came out, everyone freaked out over an ealry indication that it would only install if UEFI, that SecureBoot had to be enabled, AND that it had to be TPM 2.0 or newer capable... That was quickly found to be false and there are many work-arounds to install it on old legacy systems.

    SecureBoot is always going to be a subject. Even with Windows. Many early Vendor implementations in UEFI firmware need their firmware updated to be compliant to what is current to today.

    A number of years ago, Debian abandoned supporting booting with SecureBoot enabled, but promised to support it again in the future. Ubuntu, being right under Debian in the branch, took the lead in trying to support it again, to make Debian's promise good. They started supporting it again with LTS Version 20.04.

    So Ubuntu today (20.04 and newer), if UEFI, will run with either SecureBoot enabled or disabled... But it running with SecureBoot enabled depends on other factors being in place for that to happen. One that the UEFI firmware is updated and current. Two, that grub-efi-<arch>-signed is installed, so that the current UEFI firmware see's the efi files as being signed and trusted.

    There are other ways, but not for the faint of heart (or unskilled). You could manually say it is trusted, using an UEFI utility, but then would be locked into doing that for each update of those files.

    Are there ways? Yes, many ways, and many avenues. It's too early to tell which is the easiest and best.

    What is important for all at this point, is to ensure that you keep up to date on your motherboard's BIOS firmware updates.
    Last edited by MAFoElffen; 1 Week Ago at 02:02 AM.

    Concurrent coexistance of Windows, Linux and UNIX...
    Ubuntu user # 33563, Linux user # 533637
    Sticky: [all variants] Graphics Resolution- Upgrade /Blank Screen after reboot
    UbuntuForums system-info Script

  5. #5
    Join Date
    Nov 2018
    Beans
    13

    Re: Secure boot with nVIDIA?

    Thanks for the helpful replies!
    My experience with enabling secure boot:

    • Secure boot enabled in BIOS (otherwise command in next step complains that secure boot is disabled)
      Ubuntu booted fine but without nVIDIA proprietary drivers (but with nouveau driver) and without wifi (my own compiled driver)
    • sudo update-secureboot-policy --enroll-key
      gave following error:
      debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable

      sudo fuser -v /var/cache/debconf/config.dat
      To find out PID of process locking the file and then
      kill -9 PID
      This command brought up a user interface in terminal to set password for Machine Owners Key (MOK)


    • After reboot special MOK user interface was shown, selected enroll MOK, entered password from previous step, but take care keyboard is Querty at moment of entry
    • After further booting nVIDIA was loaded correctly
    • Undo iwlwifi own compiled driver and after reboot wifi was OK.
    • Remaining issue: VMware modules are not trusted, solution described in:
      https://kb.vmware.com/s/article/2146460
    • sudo mokutil --import MOK.der (word sudo is missing in kb)
      Same password used as before
    • After reboot special MOK user interface was shown, selected enroll MOK, view MOK clearly showed word vmware, entered password of previous step, but take care keyboard is Querty at moment of entry
    • After further booting vmmon and vmnet are loaded but vmware reported that Windows 10 virtual machine was copied or moved, I selected moved. Windows 10 VM is running just fine.
    • mokutil --list-enrolled
      Gives overview of 3 keys on my system.

  6. #6
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Secure boot with nVIDIA?

    Good job. Yes, mokutil works... And yet, it is a pain.

    So this is solved now? If so, please us the Thread Tools located at the upper Right of the page so others can find your solution to help solve their similar problems.

    Concurrent coexistance of Windows, Linux and UNIX...
    Ubuntu user # 33563, Linux user # 533637
    Sticky: [all variants] Graphics Resolution- Upgrade /Blank Screen after reboot
    UbuntuForums system-info Script

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •