Skip to content

Commit

Permalink
feat: cut over nvidia akmod signing key
Browse files Browse the repository at this point in the history
This is the final PR for #100 .

It should be merged at June 17, 2023 0000 UTC, as near as possible.

Changes:
- switches to new MOK/SecureBoot signing key for nvidia (already used by
  other akmods)
- stops providing MOK public keys in ublue-os-nvidia-addons
- updates messaging in README
  • Loading branch information
bsherman committed May 31, 2023
1 parent 681cc35 commit 50b7eaf
Showing 6 changed files with 18 additions and 29 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -83,7 +83,7 @@ jobs:
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Using test signing key"
else
echo "${{ secrets.AKMOD_PRIVKEY }}" > certs/private_key.priv
echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv
fi
# DEBUG: get character count of key
wc -c certs/private_key.priv
4 changes: 1 addition & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -74,20 +74,18 @@ rpm-ostree kargs \
And then reboot one more time!

### 3. Enable Secure Boot support
**IMPORTANT NOTE:** On June 17, 00:00 UTC, we will make a change to the key which is used to sign nvidia kernel modules. The new key is being made available May 17. The new key is `akmods-ublue.der` / `public_key.der.new` in the code blocks below. Until this document is updated to remove the old key, please import BOTH keys! This will ensure your SecureBoot system boots as expected after the cutover on June 17.
**IMPORTANT NOTE:** On June 17, 00:00 UTC, we changed the key used to sign nvidia kernel modules. If your nvidia kernel modules are not loading, you need to import the new key.

[Secure Boot](https://rpmfusion.org/Howto/Secure%20Boot) support for the nvidia kernel modules can be enabled by enrolling the signing key:

```
sudo mokutil --import /etc/pki/akmods/certs/akmods-nvidia.der
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
```

Alternatively, the key can be enrolled from within this repo:

```
sudo mokutil --import ./certs/public_key.der
sudo mokutil --import ./certs/public_key.der.new
```

## Rolling back and rebasing
2 changes: 0 additions & 2 deletions build.sh
Original file line number Diff line number Diff line change
@@ -45,8 +45,6 @@ modinfo /usr/lib/modules/${KERNEL_VERSION}/extra/${NVIDIA_PACKAGE_NAME}/nvidia{,
sed -i "s@gpgcheck=0@gpgcheck=1@" /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container-runtime.repo

install -D /etc/pki/akmods/certs/public_key.der /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/public_key.der
# copy new public key to facilitate user imports before switching
install -Dm644 /tmp/certs/public_key.der.new /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/public_key.der.new

rpmbuild -ba \
--define '_topdir /tmp/ublue-os-nvidia-addons/rpmbuild' \
Binary file modified certs/public_key.der
Binary file not shown.
Binary file removed certs/public_key.der.new
Binary file not shown.
39 changes: 16 additions & 23 deletions ublue-os-nvidia-addons.spec
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
Name: ublue-os-nvidia-addons
Version: 0.5
Version: 0.6
Release: 1%{?dist}
Summary: Additional files for nvidia driver support

@@ -9,57 +9,50 @@ URL: https://github.com/ublue-os/nvidia
BuildArch: noarch
Supplements: mokutil policycoreutils

Source0: public_key.der
Source1: nvidia-container-runtime.repo
Source2: lukenukem-asus-linux.repo
Source3: config-rootless.toml
Source4: nvidia-container.pp
Source5: environment
Source6: public_key.der.new
Source0: nvidia-container-runtime.repo
Source1: lukenukem-asus-linux.repo
Source2: config-rootless.toml
Source3: nvidia-container.pp
Source4: environment

%description
Adds various runtime files for nvidia support. These include a key for importing with mokutil to enable secure boot for nvidia kernel modules
Adds various runtime files for nvidia support.

%prep
%setup -q -c -T


%build
# Have different name for *.der in case kmodgenca is needed for creating more keys
install -Dm0644 %{SOURCE0} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
install -Dm0644 %{SOURCE1} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
install -Dm0644 %{SOURCE2} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
install -Dm0644 %{SOURCE3} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
install -Dm0644 %{SOURCE4} %{buildroot}%{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp
install -Dm0644 %{SOURCE5} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/sway/environment
install -Dm0644 %{SOURCE6} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der
install -Dm0644 %{SOURCE0} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
install -Dm0644 %{SOURCE1} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
install -Dm0644 %{SOURCE2} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
install -Dm0644 %{SOURCE3} %{buildroot}%{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp
install -Dm0644 %{SOURCE4} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/sway/environment

sed -i 's@enabled=1@enabled=0@g' %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/{lukenukem-asus-linux,nvidia-container-runtime}.repo

install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der %{buildroot}%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der %{buildroot}%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der
install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo %{buildroot}%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo %{buildroot}%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml %{buildroot}%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp %{buildroot}%{_datadir}/selinux/packages/nvidia-container.pp

%files
%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der
%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
%attr(0644,root,root) %{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp
%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/sway/environment
%attr(0644,root,root) %{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
%attr(0644,root,root) %{_sysconfdir}/pki/akmods/certs/akmods-ublue.der
%attr(0644,root,root) %{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
%attr(0644,root,root) %{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
%attr(0644,root,root) %{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
%attr(0644,root,root) %{_datadir}/selinux/packages/nvidia-container.pp

%changelog
* Sun May 17 2023 Benjamin Sherman <[email protected]> - 0.5
* Sat Jun 17 2023 Benjamin Sherman <[email protected]> - 0.6
- Remove MOK keys; now provided by ublue-os-akmods-addons

* Wed May 17 2023 Benjamin Sherman <[email protected]> - 0.5
- Add new ublue akmod public key for MOK enrollment

* Sun Mar 26 2023 Joshua Stone <[email protected]> - 0.4

0 comments on commit 50b7eaf

Please sign in to comment.