From 7a5bdce97ceca5205b671332d0cac3491c8ef4dd Mon Sep 17 00:00:00 2001 From: Benjamin Sherman Date: Sat, 17 Jun 2023 18:27:02 -0500 Subject: [PATCH] feat: cut over nvidia akmod signing key (#109) This is the final PR for #100 . It should be merged at June 17, 2023 0000 UTC, as near as possible. Changes: - switches to new MOK/SecureBoot signing key for nvidia (already used by other akmods) - stops providing MOK public keys in ublue-os-nvidia-addons - updates messaging in README --- .github/workflows/build.yml | 2 +- README.md | 4 +--- build.sh | 2 -- certs/public_key.der | Bin 1550 -> 1528 bytes certs/public_key.der.new | Bin 1528 -> 0 bytes ublue-os-nvidia-addons.spec | 33 +++++++++++++-------------------- 6 files changed, 15 insertions(+), 26 deletions(-) delete mode 100755 certs/public_key.der.new diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 516f9ed..fc7fbf2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -83,7 +83,7 @@ jobs: if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Using test signing key" else - echo "${{ secrets.AKMOD_PRIVKEY }}" > certs/private_key.priv + echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv fi # DEBUG: get character count of key wc -c certs/private_key.priv diff --git a/README.md b/README.md index 23d75b8..ff1fa70 100644 --- a/README.md +++ b/README.md @@ -74,12 +74,11 @@ rpm-ostree kargs \ And then reboot one more time! ### 3. Enable Secure Boot support -**IMPORTANT NOTE:** On June 17, 00:00 UTC, we will make a change to the key which is used to sign nvidia kernel modules. The new key is being made available May 17. The new key is `akmods-ublue.der` / `public_key.der.new` in the code blocks below. Until this document is updated to remove the old key, please import BOTH keys! This will ensure your SecureBoot system boots as expected after the cutover on June 17. +**IMPORTANT NOTE:** On June 17, 00:00 UTC, we changed the key used to sign nvidia kernel modules. If your nvidia kernel modules are not loading, you need to import the new key. [Secure Boot](https://rpmfusion.org/Howto/Secure%20Boot) support for the nvidia kernel modules can be enabled by enrolling the signing key: ``` -sudo mokutil --import /etc/pki/akmods/certs/akmods-nvidia.der sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der ``` @@ -87,7 +86,6 @@ Alternatively, the key can be enrolled from within this repo: ``` sudo mokutil --import ./certs/public_key.der -sudo mokutil --import ./certs/public_key.der.new ``` ## Rolling back and rebasing diff --git a/build.sh b/build.sh index 71616fe..2edb38d 100755 --- a/build.sh +++ b/build.sh @@ -45,8 +45,6 @@ modinfo /usr/lib/modules/${KERNEL_VERSION}/extra/${NVIDIA_PACKAGE_NAME}/nvidia{, sed -i "s@gpgcheck=0@gpgcheck=1@" /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container-runtime.repo install -D /etc/pki/akmods/certs/public_key.der /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/public_key.der -# copy new public key to facilitate user imports before switching -install -Dm644 /tmp/certs/public_key.der.new /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/public_key.der.new rpmbuild -ba \ --define '_topdir /tmp/ublue-os-nvidia-addons/rpmbuild' \ diff --git a/certs/public_key.der b/certs/public_key.der index fc3c038c6e09efcc5a9273d747c3da581d3c0913..98507ab7602836a1866c07b492516cde8894cfd3 100755 GIT binary patch literal 1528 zcmXqLV*O&!#C&G~GZP~dlZbep&9kCgDcioN>laV@x+LG`T$`BzFB_*;n@8JsUPeZ4 zRtAH{DTd+(qHN5eEL=Q%p?R5QsYS(!ISNiWrKyJeK*c}_ZXUM8?A-j6VnbB}Ww>rm zMlrFh{G#+!z2wB=lA?Tv^xVYE9KGcHTti+1Zje599u~j+yi^#M1Ipz#-~`FC2{T1R z7>XH)fH=%NyroG%D-|FXDHzC!^BNf&m>OCb85mm{nnj888iTl|Q0`!Lb`z5lasV^3 zGB7tW@iQ1SF>x_9F)=b6ZfBq3>H25+!fx^JvG*KSF)aHi-L^$5c=h@%mzzK4u6&>A zy6^TP=1xzu0TPUFpRK!R=4CJZuPK zyc^SWOhD+W?AFER^H-$@Y4oz6Pu=S%c75MR0i{zS)3%=#Q%K&scZaR{uAG8K$_AlCG|di;w=E zy4&5$J7$E-EPLC%Ea;haO4!CHucPKaNbzkwd&{*#(tznq;?y5Er))o{uAJgFV; z7~9qruL^8FWGC|X{Tu5ZJ3XU6Tc*BU(y~v>cG+L`^HrzMY~FLZc#U(Z(*@;%tzKK_ ztA{QA9#}24M1S`0AB8;^AMZQSb7XnciBF+E`St4q<{U_QvfPw2;8^{Ug|W%Lyk{3Y zaQLUytPmJt+|*f*o?El864Bnm$o5NfLVCf;#pYX|-a6ZNZ%ypNtMlDftq5m(K37uoyYlwT zy-I(CKTJ>N`?R$pWr_itm$=7cR<~JmM2fa@WF+n?5Da>E@huZGBLm}N8v`o?9$>PU z6=r1o&%$KD0M0M6{46ZYOzaH?vLGow7BLo)6IFMTx{qr=o_+G?2G?EY9&e%(o+GC( zU`}4}LHR+ckq$7Q977B_zw3@!kK5F9IeZDQyj(b=px`c1ke0o<( zRP9THl<9M=R#(%a`(}*+r+!)9jxB!oK>Gdk%=JIsGnq~h-JNpGAo;bT$gvRX`xEEo z$|ZWNd@1?)@uu^szv|BE33aExdp2)3GpFXO(4s{bo$PY_@9)25JAc{%Q_D~6yzit6 z!j*qq4c+uT?{f5K>rHny-I%@M@xI=;Nmbj}{JnDua-xNAKVHmsYm3l~Or@T{!(Xml z^$-n65Ze|kZ1`nieWqObKl{4F5AA|9KOd~yTPWuzx2Etb=k-<7elF+_P5HCulf&$* z=QNoNZgv>^88J=pvi$IB9k=T(`AsL5%Gr2{?KN!q(;iSQSX{@jwbNl@gXuvPg__8+ z$(4H7Po^Ht=CYV?C-7#QlAl2C^bg!pM-7eFaL%xaSLQfSIsNF&4h|uC&vkxfv9=T5 zsfjIODBkp8!cI#;)6;hDm$oz5##c<1I?nKExAE*ZCEv|Cw=6v7ETJN4dh$x+VOx{L zu-uwi>fP_E&fD(1es#^YE5}rx%g)=uHP^N#+{)tAx&GaOHjN6%6D+9A+MIWD|6aO)V`=jm-^A%nanj zd5w$>42=y9jEyV}&7#D4je%Sv3n+I8_@IeN2|3sqSs9p{nD`kCnwYqlnwS_F_D+pf zw>}|fmpVOvVa{{z`&XU!{=N2Q;yw=Ri(zH53-c@^*V(+UoZfb~vO>z_WyqJGkG~k3 zPks60)|(8ifM~VZ<#)JcHvIgOvTjHJkK}vPoPM?6xo#J`^auAq~#Z&rHX_G(qO{SFb{)?w+ZUr#z^JWI3Uv4HOR-HOw%Uwjq7 z!rnIZ$%UTm?S-swKO|1vsu?@`{Jk)Dren;Et2zP(-~VoPoK6nc3b0u;u)!rW*sbF`D2ah#(7g_?p9gq`7QCx*0siuyzeadmhaTI znDPGE57|W@Lemno?;dn%&u3z0WMEuuV_;>#1I!Du!iTBE}-J%<9D3_Yc*aJT|$aP3x-xxx z%A@uqyjgmhMuq5sx(ZGmbGGd%9$$>Y)P!!OzX&<}etP4DHfHM`w>R5goW%b#^Y*Jn z*1nm7E&N^~n=d4v7kFiw*`c(yHBQ5%OWgM7RK{nfYMPH zZ~DKY1#dUmrau+^d40uut00BtK?l?u7X?Pl|9MSCyYkc8u$m`zbHcq+*>`0am+v*5 zkf1tcaX`k}vdi4^cQ&<3L`}QaA#!8E_9bqModOLeEPL!T=Y4NX+is0urmOlhk3}6b zX{ywpT3Y){Y+w0;s;*f#JHuCgfADF^JmJ?YFOJ@xqp|bmwx+vB%KeYd|I@Mcp>jP} z%8}SNJK64Os|YFbc<$@}+>*+=UuD8?2g`@~XCp(F-EwJucz!>-x?%FyBmp<)wYr;L z1s?oX7qrS{kAAjd^yh=V??Wsr)^&eeyHC1gdgOhJ>(9>XPrEZm&U8gtPRI4W%YoaA zG}7$%hnW8o_c`O1S;O4N{?A83r9`uBWz+pP$KPIZtvpq1|Fmam%g5zmDbY{eCfdt! zeklDXB*v^@p>yr1n*W>r31{E1Ijz~e+B8zCbEeFhdzWPG)@=E(;BZ3v)9En6X06JC*Mr KTNPVN*dqY;<9TNQ diff --git a/certs/public_key.der.new b/certs/public_key.der.new deleted file mode 100755 index 98507ab7602836a1866c07b492516cde8894cfd3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1528 zcmXqLV*O&!#C&G~GZP~dlZbep&9kCgDcioN>laV@x+LG`T$`BzFB_*;n@8JsUPeZ4 zRtAH{DTd+(qHN5eEL=Q%p?R5QsYS(!ISNiWrKyJeK*c}_ZXUM8?A-j6VnbB}Ww>rm zMlrFh{G#+!z2wB=lA?Tv^xVYE9KGcHTti+1Zje599u~j+yi^#M1Ipz#-~`FC2{T1R z7>XH)fH=%NyroG%D-|FXDHzC!^BNf&m>OCb85mm{nnj888iTl|Q0`!Lb`z5lasV^3 zGB7tW@iQ1SF>x_9F)=b6ZfBq3>H25+!fx^JvG*KSF)aHi-L^$5c=h@%mzzK4u6&>A zy6^TP=1xzu0TPUFpRK!R=4CJZuPK zyc^SWOhD+W?AFER^H-$@Y4oz6Pu=S%c75MR0i{zS)3%=#Q%K&scZaR{uAG8K$_AlCG|di;w=E zy4&5$J7$E-EPLC%Ea;haO4!CHucPKaNbzkwd&{*#(tznq;?y5Er))o{uAJgFV; z7~9qruL^8FWGC|X{Tu5ZJ3XU6Tc*BU(y~v>cG+L`^HrzMY~FLZc#U(Z(*@;%tzKK_ ztA{QA9#}24M1S`0AB8;^AMZQSb7XnciBF+E`St4q<{U_QvfPw2;8^{Ug|W%Lyk{3Y zaQLUytPmJt+|*f*o?El864Bnm$o5NfLVCf;#pYX|-a6ZNZ%ypNtMlDftq5m(K37uoyYlwT zy-I(CKTJ>N`?R$pWr_itm$=7cR<~JmM2fa@WF+n?5Da>E@huZGBLm}N8v`o?9$>PU z6=r1o&%$KD0M0M6{46ZYOzaH?vLGow7BLo)6IFMTx{qr=o_+G?2G?EY9&e%(o+GC( zU`}4}LHR+ckq$7Q977B_zw3@!kK5F9IeZDQyj(b=px`c1ke0o<( zRP9THl<9M=R#(%a`(}*+r+!)9jxB!oK>Gdk%=JIsGnq~h-JNpGAo;bT$gvRX`xEEo z$|ZWNd@1?)@uu^szv|BE33aExdp2)3GpFXO(4s{bo$PY_@9)25JAc{%Q_D~6yzit6 z!j*qq4c+uT?{f5K>rHny-I%@M@xI=;Nmbj}{JnDua-xNAKVHmsYm3l~Or@T{!(Xml z^$-n65Ze|kZ1`nieWqObKl{4F5AA|9KOd~yTPWuzx2Etb=k-<7elF+_P5HCulf&$* z=QNoNZgv>^88J=pvi$IB9k=T(`AsL5%Gr2{?KN!q(;iSQSX{@jwbNl@gXuvPg__8+ z$(4H7Po^Ht=CYV?C-7#QlAl2C^bg!pM-7eFaL%xaSLQfSIsNF&4h|uC&vkxfv9=T5 zsfjIODBkp8!cI#;)6;hDm$oz5##c<1I?nKExAE*ZCEv|Cw=6v7ETJN4dh$x+VOx{L zu-uwi>fP_E&fD(1es#^YE5}rx%g)=uHP^N#+{)tAx&GaOH - 0.7 +- Remove MOK keys; now provided by ublue-os-akmods-addons + * Sat Jun 17 2023 RJ Trujillo - 0.6 - Add supergfxctl-plasmoid COPR