OS: Fedora 29 (KDE)
Ive set up my system to use UEFI secure boot using custom self-signed x509 keys/certificates. Ive directly loaded the keys/certs into the ‘PK’, ‘KEK’, and ‘db’ UEFI variables, and am not using machine keys / MOK. Ive got everything working with one exception: registering the cards firmware with secure boot.
Note: Im not talking about the kernel modules. Those are signed with my custom private key, and once they get loaded things work just fine. The issue is with the “basic mode” graphics driver built into the GPU. The one that would, for example, be used to display the BIOS/UEFI menu.
The issue is typically resolved by itself because the cards firmware image is signed by some key (presumably Nvidias) that are built into one of the pre-loaded Microsoft certificates used in the ‘db’ secure boot variable. But, using custom keys means that I dont have that particular signature on my “approved signature” list. Technically I can still boot, but im left with 2 not-so-great options:
Use the CSM and boot the card into legacy (BIOS-only) mode (which is no longer UEFI secure boot)
Keep UEFI mode active and forgo having any video output prio to the kernel modules loading (and hope that I dont need to change anything in the UEFI) (note: the only 1080ti is the system’s only GPU. The CPU doesnt have an integrated iGPU)
Does anyone know how I can register the cards firmware with secure boot? Im assuming theres no good way to re-sign the firmware physically stored on the card with my x509 key/cert, but Id think it should be possible to extract the firmware image (or at least its sha256 hash) and add that to the ‘db’ approved signature list, but I’m not sure how best to do this.
Thanks in advance.