cancel
Showing results for 
Search instead for 
Did you mean: 

Secure booting with self signed key, and CSM turned off.

Zarathustraa
Level 7
I followed the Secure Boot guidelines here for the RVE. The guidelines worked nearly perfectly.

The only problem I ran into is not being able to boot without the Compatibility Support Module turned on. I'm guessing I need to place a key on my ssd, or sign my uefi video card somehow.

Is anyone able to help?
5,756 Views
9 REPLIES 9

Qwinn
Level 11
I assume you're only having this issue in Linux, yes? I didn't have to go through any of that for Windows 10, I just loaded the preset keys from within the BIOS (and they seem to be retained even when reflashing the BIOS, it was a one time thing first time I used the board).

But I still can't boot Linux without having to enable CSM.

Zarathustraa
Level 7
It's just for Linux. I'm going to have to look into the tools for modifying keys.

This link looks pretty good:

http://www.rodsbooks.com/linux-uefi/

I'm not entirely sure that the keys are your primary issue. The main question may be, same as with Windows, you have to make sure you *install* Linux with CSM disabled. The link goes into details.

(Note that I never went through the trouble for this, so can't vouch if it'll work. I only ever boot Linux off a DVD to run GSAT, nothing else.)

Qwinn
Level 11
This link looks pretty good:

http://www.rodsbooks.com/linux-uefi/

The main question is, same as with Windows, you have to make sure you *install* Linux with CSM disabled. The link goes into details.

cekim
Level 11
UEFI Secure is pretty frustrating in linux. I've been keeping score:
Problems caused by UEFI Secure Boot: 4,592
Problems solved by UEFI Secure Boot: 0
😉

It depends on your distribution and video card, but nvidia's drivers will generate a key in something like /var/lib/nvidia (don't quote me on that, its mentioned somewhere when you build the nvidia libraries).

You then need to use mokutil to install the key then reboot. IF it works, when you reboot, it will come up with screen asking if you are super-sure you want to allow this and you say yes then everything works until your next yum/apt-get update and you repeat this madness again.
Some info on mokutil and nvidia drivers
https://www.elrepo.org/tiki/SecureBootKey
http://superuser.com/questions/788401/adding-x-509-certificate-to-uefi-secure-boot-database

Which distro?
Which card?

Zarathustraa
Level 7
It's Arch and a 660ti. The issue happens before getting into refind.

Zarathustraa wrote:
It's Arch and a 660ti. The issue happens before getting into refind.


I'm not familiar with that distro at all sorry, but a search of "arch linux mokutil" does produce some videos suggesting the flow differs from what I've seen with CentOS and ubuntu:
https://www.youtube.com/watch?v=KBYTeN5VXXg

Zarathustraa
Level 7
It boots fine in UEFI if I disable secure boot. I'm guessing I need to sign something in the video cards bios with my own key? I'm trying to avoid having to use shim.

Zarathustraa wrote:
It boots fine in UEFI if I disable secure boot. I'm guessing I need to sign something in the video cards bios with my own key? I'm trying to avoid having to use shim.

You certainly do with CentOS, but the nvidia driver installation does this for you.

RedHat describes this process here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_...