On Mon, Jun 17, 2024 at 12:44:53PM +0100, Aoife Moloney wrote: > Wiki - https://fedoraproject.org/wiki/Changes/NvidiaInstallationWithSecureboot > Discussion Thread - > https://discussion.fedoraproject.org/t/f41-change-proposal-nvidia-driver-installation-with-secure-boot-support-self-contained/120330 > > This is a proposed Change for Fedora Linux. > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > > == Summary == > > Nvidia Drivers have been removed from GNOME Software because it didn't > support Secure Boot which is increasingly often enabled. This change > brings the option back with Secure Boot supported. > > == Owner == > > * Name: [[User:eischmann|Jiří Eischmann]] > * Name: Milan Crha > > * Email: eischmann@xxxxxxxxxx > * Email: mcrha@xxxxxxxxxx > > > == Detailed Description == > > The goal is this change is to provide an easy way to install Nvidia > drivers in Fedora Workstation. It was removed from GNOME Software > because the original mechanism didn't support Secure Boot. When users > installed the drivers with Secure Boot enabled, they could not boot > the OS. > What we're doing this time is using mokutil to create a key for the > user to self-sign the drivers. When installing the drivers, the user > is asked to provide a password for the key. On the next reboot the > user is presented with the mokutil interface to enroll the key. Should this be a system-wide change, rather than self-contained change ? While the implementation is in gnome-software, since this is semi-automating enrollment of a new SecureBoot MOK, with the private key strored locally, it has security impact on the distro as a whole. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
