From 7c3861e3611c62dad38c241651df217ae24077f1 Mon Sep 17 00:00:00 2001 From: Jiri Eischmann Date: Mon, 15 Jul 2024 16:30:14 +0200 Subject: [PATCH] Adding information about security implications and key deletion to the MOK enrollment page --- modules/ROOT/pages/mok-enrollment.adoc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/ROOT/pages/mok-enrollment.adoc b/modules/ROOT/pages/mok-enrollment.adoc index d312a6e..62d0b58 100644 --- a/modules/ROOT/pages/mok-enrollment.adoc +++ b/modules/ROOT/pages/mok-enrollment.adoc @@ -2,6 +2,8 @@ This page documents how to enroll a machine owner key that is created during the Nvidia driver installation (typically in GNOME Software). +==== + == Prerequisite The Nvidia driver has been installed and a machine owner key to self-sign the driver has been created in GNOME Software (or in a similar tool that supports it). @@ -27,3 +29,17 @@ image:mok-util-05.png[mok-util-06.png,title="mokutil start screen"] 6. Select *Reboot* to reboot into the OS with the Nvidia drivers enabled. image:mok-util-06.png[mok-util-07.png,title="Enroll the key(s) - Password"] + +== Security Implications + +Note that the enrolled machine owner key will be used to sign any future updates to the module or any other module you will decide to install and they will be implicitly trusted. All future updates will happen transparently with no interaction and/or authorization. Therefore, it's recommended to delete the machine owner key when it's no longer needed. + +== Deleting Machine Owner Key + +To delete the machine owner key, perform the following command in the terminal: ++ +[subs="quotes"] +---- +$ *sudo mokutil --delete /etc/pki/akmods/certs/public_key.der* +---- +