Bug#990311: Secure boot does not work correctly with nvidia-driver after upgrade to Debian 10.10
Package: shim* (shim-signed, shim-signed-common,
shim-helpers-amd64-signed, shim-unsigned)
Version: 1.36~1
Platform: amd64
Dear Maintainer,
I'm using Secure Boot for an AMD64 system and I have installed the
non-free nvidia graphics driver (nvidia-driver). To use Secure Boot, I
have to sign the additional NVidia modules manually with the following
steps:
1) create a self-signed certificate using openssl -> I have got the key
file <hostname>.der
2) sign all module files with the script: /lib/modules/<kernel
version>/build/scripts/sign-file
3) import the key with the command: mokutil --import <hostname>.der
4) Reboot the system and enroll the key after entering the passphrase
These steps works fine for me, but after upgrading to Debian 10.10 it
does no longer work, the kernel cannot start the NVidia driver, and the
error log says, that the kernel cannot find a trusted key. After running
the command "mokutil --list-enrolled" I have got the message "MokListRT
is empty." Then I have installed an older Debian Version 10.2 with the
older package shim-signed, Version: 1.33+15153313, an now I can see the
imported key using the command mokutil --list-enrolled.
As Workaround I have installed the older Debian Version 10.2 and have
upgraded to 10.10 except the packages for shim, then I have installed
the nvidia driver and then signed the NVidia module files and now I can
boot into a graphical Desktop.
Best regards,
Christian
Reply to: