27
submitted 3 months ago by wallmenis@lemmy.one to c/linux@lemmy.ml

Hello, basically the title. It is one of the newer cards and it is fedora 40 the distro.

top 21 comments
sorted by: hot top controversial new old
[-] j4k3@lemmy.world 18 points 3 months ago

No. You can use either a Fedora distro or regular default vanilla Ubuntu. Both of these package managers have a special shim keys that are signed by a 3rd party program from Microsoft.

If you want to run anything else, you need to self sign your key for secure boot. Gentoo has killer documentation on how to do this. It doesn't matter what distro you use. Secure Boot is outside of the Linux kernel. With Fedora, it is handled by their Anaconda system, (no relationship to the Python containers system by the same name).

[-] wallmenis@lemmy.one 7 points 3 months ago

I am mentioning the NVIDIA drivers. That is because there are new kernel modules that are open source. Maybe kernel signage is not needed with those ones. That is why I am asking.

[-] j4k3@lemmy.world 5 points 3 months ago

Secure boot must have all kernel modules signed. The system that Fedora uses is a way that builds the drivers from source with every new kernel update. It works, but it can't be modified further.

The primary issue you will likely come across is that the nvcc compiler is not open source and it is part of the CUDA chain. You can't build things like lama.cpp without nvcc and have CUDA support. Most example type projects have the same issues. Without nvcc fully open, you are still somewhat limited. Also the toolchain for nvcc screws up the open source built stuff and will put you back at the train wreck of secure boot. If Nvidia had half a working brain, they would open source everything instead of the petty conservative nonsense stupidity that drives proprietary fools. There is absolutely no room in AI for anyone that lacks full transparency.

[-] boredsquirrel@slrpnk.net 4 points 3 months ago

The opensource drivers are not included by default (out of tree) so no this is the same scenario.

If the boot files change, you cant just fix the signature. Thats a key feature of public-private-cryptography

[-] Fecundpossum@lemmy.world 3 points 3 months ago

This is entirely plausible, but I don’t know if it’s there yet. I’ve long since moved to AMD GPUs so I can’t really fiddle and find out. Give the open source drivers some time to mature.

Until then, you are reasonably safe running Linux with secure boot turned off. I’m no expert on the matter, but I’m not familiar with any ongoing threats to boot loader in Linux distributions. Stick to your official repos to be safest, unverified user maintained sources like AUR and COPR are possibly more likely to harbor security threats, don’t use them if you don’t need to or don’t know what you’re doing. Password your bios and require a password to log in to your operating system. Common sense is a better defense than secure boot.

[-] StrawberryPigtails@lemmy.sdf.org 10 points 3 months ago

Not necessarily, but doing so will make your life alot easier, especially when it comes time to update the drivers.

[-] wallmenis@lemmy.one 2 points 3 months ago

By not necessarily, do you mean that I need to enroll keys?

[-] StrawberryPigtails@lemmy.sdf.org 2 points 3 months ago

The last time I had secure boot enabled on any of my systems was several years ago, but yes. At that time you had to enroll the keys both on the initial install and every update. It was such a headache for limited benefits (for me) that I just started disabling secure boot whenever I was setting up a system.

Things might have gotten easier, but I doubt it as he secure boot system is not really under the control of open source developers (for good reason) and the end user can really only choose whether it is enabled or disabled.

[-] boredsquirrel@slrpnk.net 4 points 3 months ago

It should go automatically. See the Fedora change proposals

[-] wallmenis@lemmy.one 2 points 3 months ago

I am asking because I am looking to dual-boot with windows 11 which requires secure-boot afaik. I could disable it whilst switching (each os will be in it's own drive with the corresponding bootloader) so any os will be on a different drive.

[-] StrawberryPigtails@lemmy.sdf.org 3 points 3 months ago

Should be doable either way, but swapping secure boot on and off may cause problems with Windows in your proposed setup. I would pick one and stick with it. I know Linux is compatible with secure boot, I just never bothered to learn how to work with it. If I remember correctly, every time a change was made to the kernel, the keys would need to be reenrolled. This includes whenever the Nvidia driver’s updated.

Might want to read up on secure boot.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot

[-] wallmenis@lemmy.one 1 points 3 months ago

To be more clear, the swap of the oses (not swap as in the swap partition) will be done from bios by changing the boot drive/efi executable and toggling secure boot accordingly. Do you think this will work?

[-] StrawberryPigtails@lemmy.sdf.org 2 points 3 months ago

That's what I thought you might try. Answer is, I don't know. I think it would depend on what the UEFI does with the secure boot keys when you disable secure boot. From a security standpoint it would make most sense for it to wipe those keys, but I could be wrong. The easiest way to find out if it would cause a problem would be to try it.

If I understand this article correctly however, Windows only requires that the UEFI be capable of secure boot, not that secure boot be enabled.

I think the first thing I would try is to try installing and booting Windows without secure boot. If that fails, than reinstall, this time with secure boot enabled and leave it enabled. Several other comments here are saying that secure boot in linux is now largely seamless and as it has been several years since I've mucked about with it, I'm inclined to listen to their recommendation.

[-] wallmenis@lemmy.one 1 points 3 months ago

I used to do this while using windows 10 and arch on my laptop. Didnt have any issues. It is just if windows 11 might have an issue. Afaik from the above, my guess is that it just disables the checks whilst disabling secure boot.

[-] Para_lyzed@lemmy.world 4 points 3 months ago

No, here is the official RPMFusion documentation for it, which is linked to in the Nvidia driver documentation from RPMFusion.

[-] Amaterasu@lemmy.world 3 points 3 months ago

For Fedora you can follow the RPM Fusion documentation or have a look to this guide

[-] wallmenis@lemmy.one 1 points 3 months ago

Looks interesting. A bit scary enrolling keys because i am scared of accidentaly deleting the default ones (unless i am being unreasonable)

[-] Amaterasu@lemmy.world 2 points 3 months ago* (last edited 3 months ago)

The procedure is much hassle free than it looks. Keeping the secure boot on enrolled is a good practice. I read recently that Fedora was approving the sign automatically to be part of the gnome-software. So things may become even easier soon.

[-] sugartits@lemmy.world -1 points 3 months ago
[-] wallmenis@lemmy.one 1 points 3 months ago

Are the new kernel modules planned to be included in the kernel and if so, will that mean there will be secure boot support?

[-] boredsquirrel@slrpnk.net 3 points 3 months ago

No NVIDIA doesnt care about being upstream so until something changes they will be out of tree.

Changed boot files hash, broken Microsoft key, you need to sign yourself.

This is automated though.

this post was submitted on 15 Aug 2024
27 points (96.6% liked)

Linux

48210 readers
714 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS