diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 516f9ed..fc7fbf2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -83,7 +83,7 @@ jobs: if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Using test signing key" else - echo "${{ secrets.AKMOD_PRIVKEY }}" > certs/private_key.priv + echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv fi # DEBUG: get character count of key wc -c certs/private_key.priv diff --git a/README.md b/README.md index 23d75b8..ff1fa70 100644 --- a/README.md +++ b/README.md @@ -74,12 +74,11 @@ rpm-ostree kargs \ And then reboot one more time! ### 3. Enable Secure Boot support -**IMPORTANT NOTE:** On June 17, 00:00 UTC, we will make a change to the key which is used to sign nvidia kernel modules. The new key is being made available May 17. The new key is `akmods-ublue.der` / `public_key.der.new` in the code blocks below. Until this document is updated to remove the old key, please import BOTH keys! This will ensure your SecureBoot system boots as expected after the cutover on June 17. +**IMPORTANT NOTE:** On June 17, 00:00 UTC, we changed the key used to sign nvidia kernel modules. If your nvidia kernel modules are not loading, you need to import the new key. [Secure Boot](https://rpmfusion.org/Howto/Secure%20Boot) support for the nvidia kernel modules can be enabled by enrolling the signing key: ``` -sudo mokutil --import /etc/pki/akmods/certs/akmods-nvidia.der sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der ``` @@ -87,7 +86,6 @@ Alternatively, the key can be enrolled from within this repo: ``` sudo mokutil --import ./certs/public_key.der -sudo mokutil --import ./certs/public_key.der.new ``` ## Rolling back and rebasing diff --git a/build.sh b/build.sh index 71616fe..2edb38d 100755 --- a/build.sh +++ b/build.sh @@ -45,8 +45,6 @@ modinfo /usr/lib/modules/${KERNEL_VERSION}/extra/${NVIDIA_PACKAGE_NAME}/nvidia{, sed -i "s@gpgcheck=0@gpgcheck=1@" /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container-runtime.repo install -D /etc/pki/akmods/certs/public_key.der /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/public_key.der -# copy new public key to facilitate user imports before switching -install -Dm644 /tmp/certs/public_key.der.new /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/public_key.der.new rpmbuild -ba \ --define '_topdir /tmp/ublue-os-nvidia-addons/rpmbuild' \ diff --git a/certs/public_key.der b/certs/public_key.der index fc3c038..98507ab 100755 Binary files a/certs/public_key.der and b/certs/public_key.der differ diff --git a/certs/public_key.der.new b/certs/public_key.der.new deleted file mode 100755 index 98507ab..0000000 Binary files a/certs/public_key.der.new and /dev/null differ diff --git a/ublue-os-nvidia-addons.spec b/ublue-os-nvidia-addons.spec index d35ecee..7ee32ba 100644 --- a/ublue-os-nvidia-addons.spec +++ b/ublue-os-nvidia-addons.spec @@ -1,5 +1,5 @@ Name: ublue-os-nvidia-addons -Version: 0.6 +Version: 0.7 Release: 1%{?dist} Summary: Additional files for nvidia driver support @@ -9,17 +9,15 @@ URL: /~https://github.com/ublue-os/nvidia BuildArch: noarch Supplements: mokutil policycoreutils -Source0: public_key.der -Source1: nvidia-container-runtime.repo -Source2: lukenukem-asus-linux.repo -Source3: jhyub-supergfxctl-plasmoid.repo -Source4: config-rootless.toml -Source5: nvidia-container.pp -Source6: environment -Source7: public_key.der.new +Source0: nvidia-container-runtime.repo +Source1: lukenukem-asus-linux.repo +Source2: jhyub-supergfxctl-plasmoid.repo +Source3: config-rootless.toml +Source4: nvidia-container.pp +Source5: environment %description -Adds various runtime files for nvidia support. These include a key for importing with mokutil to enable secure boot for nvidia kernel modules +Adds various runtime files for nvidia support. %prep %setup -q -c -T @@ -27,19 +25,15 @@ Adds various runtime files for nvidia support. These include a key for importing %build # Have different name for *.der in case kmodgenca is needed for creating more keys -install -Dm0644 %{SOURCE0} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der -install -Dm0644 %{SOURCE1} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo -install -Dm0644 %{SOURCE2} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo +install -Dm0644 %{SOURCE0} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo +install -Dm0644 %{SOURCE1} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo install -Dm0644 %{SOURCE2} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo install -Dm0644 %{SOURCE3} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml install -Dm0644 %{SOURCE4} %{buildroot}%{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp install -Dm0644 %{SOURCE5} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/sway/environment -install -Dm0644 %{SOURCE6} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der sed -i 's@enabled=1@enabled=0@g' %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/{lukenukem-asus-linux,jhyub-supergfxctl-plasmoid,nvidia-container-runtime}.repo -install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der %{buildroot}%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der -install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der %{buildroot}%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo %{buildroot}%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo %{buildroot}%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo %{buildroot}%{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo @@ -47,16 +41,12 @@ install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp %{buildroot}%{_datadir}/selinux/packages/nvidia-container.pp %files -%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der -%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml %attr(0644,root,root) %{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/sway/environment -%attr(0644,root,root) %{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der -%attr(0644,root,root) %{_sysconfdir}/pki/akmods/certs/akmods-ublue.der %attr(0644,root,root) %{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo %attr(0644,root,root) %{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo %attr(0644,root,root) %{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo @@ -64,6 +54,9 @@ install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_datadir}/selinux/packages/nv %attr(0644,root,root) %{_datadir}/selinux/packages/nvidia-container.pp %changelog +* Sat Jun 17 2023 Benjamin Sherman - 0.7 +- Remove MOK keys; now provided by ublue-os-akmods-addons + * Sat Jun 17 2023 RJ Trujillo - 0.6 - Add supergfxctl-plasmoid COPR