1221776 – Secureboot/nvidia: modules aren't signed at all for Leap 15.6/sle15-sp6

Bug 1221776 - Secureboot/nvidia: modules aren't signed at all for Leap 15.6/sle15-sp6

Summary: Secureboot/nvidia: modules aren't signed at all for Leap 15.6/sle15-sp6

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	X11 3rd Party Driver (show other bugs)
Version:	Leap 15.6
Hardware:	x86-64 Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Stefan Dirsch
QA Contact:	Stefan Dirsch

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-20 20:05 UTC by Andreas
Modified:	2024-03-22 15:56 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
journald log (242.68 KB, text/plain) 2024-03-20 20:05 UTC, Andreas	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas 2024-03-20 20:05:24 UTC

Created attachment 873670 [details]
journald log

After updating the nvidia driver from G06-550.54.14 to G06-550.67, the GPU with secure boot stopped working. If secure boot is disabled, the GPU works again.

systemd-udevd[720]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service

mokutil --import /var/lib/nvidia-pubkeys/MOK-nvidia-driver-G06-550.67-lp156.20.1-default.der --root-pw
SKIP: /var/lib/nvidia-pubkeys/MOK-nvidia-driver-G06-550.67-lp156.20.1-default.der is already enrolled

Comment 1 Stefan Dirsch 2024-03-20 22:00:27 UTC

So did you also enroll it after reboot in Mokmanager?

https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot

Comment 2 Andreas 2024-03-21 17:55:29 UTC

(In reply to Stefan Dirsch from comment #1)
> So did you also enroll it after reboot in Mokmanager?
> 
> https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot

Yes, I enrolled the key after updating the driver. I uninstalled the driver, deleted the old key and installed the new driver, imported the key and enrolled it, enabled secure boot and the GPU does not work.

Comment 3 Stefan Dirsch 2024-03-21 19:29:48 UTC

Hmm. I need to try to reproduce.

Comment 4 Stefan Dirsch 2024-03-22 14:32:26 UTC

Trying to reproduce on current Leap 15.6 ...

# mokutil --sb-state
SecureBoot enabled

# prime-select get-current
Driver configured: nvidia
NVIDIA modules are loaded

# XAUTHORITY=/run/sddm/xauth_TNLtOu DISPLAY=:0 glxinfo -B|grep "OpenGL renderer"
OpenGL renderer string: NVIDIA RTX A1000 Laptop GPU/PCIe/SSE2

# zypper -v up -r NVIDIA:repo-non-free
Verbosity: 2
Initialising Target
Refreshing service 'NVIDIA'.
Refreshing service 'openSUSE'.
Checking whether to refresh metadata for repo-non-free (15.6)
Loading repository data...
Reading installed packages...
Force resolution: No

The following 11 packages are going to be upgraded:
  nvidia-compute-G06             550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-compute-G06-32bit       550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-compute-utils-G06       550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-driver-G06-kmp-default  550.54.14_k6.4.0_150600.8-lp156.20.1 -> 550.67_k6.4.0_150600.10-lp156.20.1
  nvidia-drivers-G06             550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-drivers-minimal-G06     550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-gl-G06                  550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-gl-G06-32bit            550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-utils-G06               550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-video-G06               550.54.14-lp156.20.1 -> 550.67-lp156.20.1
  nvidia-video-G06-32bit         550.54.14-lp156.20.1 -> 550.67-lp156.20.1

11 packages to upgrade.
Overall download size: 289,7 MiB. Already cached: 0 B. After the operation, additional 59,3 KiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
[...]
packages install, nvidia driver build and signing ...
# reboot ...
Mok management .. delete mok (old 550.54 key)  ... enroll mok (new 550.67 key) ... reboot

And then indeed nvidia module cannot be loaded. :-(

[    0.925472] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[    0.925567] integrity: Loaded X.509 cert 'Local build for nvidia-driver-G06 550.67 on 2024-03-22: a4fef6678cfb85c5ede7c8f409235204f6c4841d'
[    0.925570] Loading compiled-in module X.509 certificates
[    0.925579] Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: a746b64b6cb71f13385638055f46162bac632acd'
[    0.925580] ima: Allocated hash algorithm: sha256
[    0.944921] evm: Initialising EVM extended attributes:
[    0.944925] evm: security.selinux
[    0.944926] evm: security.SMACK64 (disabled)
[    0.944926] evm: security.SMACK64EXEC (disabled)
[    0.944927] evm: security.SMACK64TRANSMUTE (disabled)
[    0.944927] evm: security.SMACK64MMAP (disabled)
[    0.944928] evm: security.apparmor
[    0.944928] evm: security.ima
[    0.944929] evm: security.capability
[    0.944929] evm: HMAC attrs: 0x1
[    0.944972] audit: type=1807 audit(1711117668.575:2): action=measure func=KEXEC_KERNEL_CHECK res=1
[    0.944983] audit: type=1807 audit(1711117668.575:3): action=measure func=MODULE_CHECK res=1
[    1.046898] PM:   Magic number: 0:47:486
[    1.049643] RAS: Correctable Errors collector initialized.
[    1.049660] Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7

Comment 5 Stefan Dirsch 2024-03-22 15:54:38 UTC

Fixed via

https://github.com/openSUSE/nvidia-driver-G06/commit/68b88796af787143766ddbedf1d2d9592c379023
https://github.com/openSUSE/nvidia-driver-G06/commit/60d3df5186057a98c2bb9fceeb12b755886e8bf7

Only affects Leap 15.6/sle15-sp6. Will be included in next driver update.

Comment 6 Stefan Dirsch 2024-03-22 15:55:22 UTC

(modules weren't signed at all ...)