Re: secure boot key enrolling questions
On Sat, Jan 04, 2025 at 11:22:15PM -0500, Anil F Duggirala wrote:
> hello everyone,
>
> I am looking to install the Nvidia proprietary driver in my Debian 12 machine. This is a clean install on a Dell XPS 9550 laptop.
>
> I have Secure boot enabled. The instructions say that I need to enroll an mok key (have no idea what that means).
>
> Running the command: sudo mokutil --import /var/lib/dkms/mok.pub
> Outputs: Failed to get file status, /var/lib/dkms/mok.pub
>
> There is in fact no folder named dkms in my /var/lib directory.
Hi Anil
The instuctions you are following seem incomplete. I do not use nvidia myself but according to https://dev.to/dev-charodeyka/debian-secure-boot-to-be-or-not-to-be-that-is-the-question-1o82 then you need to create the MOK first.
The example given on that page is the following:
$ su - #if you are logged
# mkdir -p /var/lib/shim-signed/mok/
# cd /var/lib/shim-signed/mok/
# openssl req -nodes -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/"
# openssl x509 -inform der -in MOK.der -out MOK.pem
After that you can import they new MOK
$ sudo mokutil --import /var/lib/shim-signed/mok/MOK.der # prompts for one-time password
sudo reboot
After the reboot there should be some kind of MOK import prompt you need to go through to accept your new MOK.
HTH
Oli
Reply to: