Adding information about security implications and key deletion to the MOK enrollment page

2024-11-24 05:22:42 +00:00 · 2024-07-15 16:30:14 +02:00 · 2024-07-15 16:30:14 +02:00 · 7c3861e361
commit 7c3861e361
parent b1fa43f3d2
1 changed files with 16 additions and 0 deletions
--- a/modules/ROOT/pages/mok-enrollment.adoc
+++ b/modules/ROOT/pages/mok-enrollment.adoc
@ -2,6 +2,8 @@

 This page documents how to enroll a machine owner key that is created during the Nvidia driver installation (typically in GNOME Software).

+====
+
 == Prerequisite

 The Nvidia driver has been installed and a machine owner key to self-sign the driver has been created in GNOME Software (or in a similar tool that supports it).
@ -27,3 +29,17 @@ image:mok-util-05.png[mok-util-06.png,title="mokutil start screen"]

 6. Select *Reboot* to reboot into the OS with the Nvidia drivers enabled.
 image:mok-util-06.png[mok-util-07.png,title="Enroll the key(s) - Password"]
+
+== Security Implications
+
+Note that the enrolled machine owner key will be used to sign any future updates to the module or any other module you will decide to install and they will be implicitly trusted. All future updates will happen transparently with no interaction and/or authorization. Therefore, it's recommended to delete the machine owner key when it's no longer needed.
+
+== Deleting Machine Owner Key
+
+To delete the machine owner key, perform the following command in the terminal:
+
+[subs="quotes"]
+----
+$ *sudo mokutil --delete /etc/pki/akmods/certs/public_key.der*
+----
+