[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990311: Secure boot does not work correctly with nvidia-driver after upgrade to Debian 10.10

Dear Maintainer,

I can confirm this issue - after upgrade on 21.06.2021, Secure Boot no longer works. Signing the third party kernel modules reports no problems, but the signed modules are not loaded on boot. Issue appears to be that the MOK isnot available during and/or after boot.

host:/# mokutil --list-enrolled

MokListRT is empty

Using mokutil to reinstall the MOK works in that the correct user key is visible in the EFI utility during the next restart, but after boot the output of mokutil --list-enrolled is unchanged (MokListRT is empty).  Booting an older kernel (which was working without problem prior to the upgrade) does not change the behaviour on boot. This indicates to me that the problem is not related to module signing.

Downgrading shim by downloading the relevant packages from snapshot.debian.org and rolling back results in a system where the MOK is correctly listed by mokutil --list-enrolled:

host:/# apt-get install shim-signed=1.33+15+1533136590.3beb971-7 shim-signed-common=1.33+15+1533136590.3beb971-7 shim-unsigned=15+1533136590.3beb971-7+deb10u1 shim-helpers-amd64-signed=1+15+1533136590.3beb971+7+deb10u1

After this downgrade, the nvidia driver modules were loaded on next boot. The virtualbox modules could only be loaded after re-signing with the MOK. Once this has been done, the system boots normally on subsequent restarts.  Following the same procedure and updating from version 1.33 to version 1.34 showed the same behaviour as for 1.36 - mokutil --list-enrolled reported an empty list.

Best regards,


Reply to: