Secure Boot - Fedora 37 - 3rd party karnel modules


My Broadcom-WL drivers did not work with Secure Boot on. modinfo wl showed that they are signed. Investigated a bit and found that Fedora Secure Boot CA is expired in Fedora 37. It should be like this? Is it auto generated on install? Or we have past date on purpose?

Checked cat /boot/config-6.0.18-300.fc37.x86_64 | grep CONFIG_MODULE_SIG_ALL - was on (“y”).
I have enrolled new certs with /usr/sbin/kmodgenca (/usr/share/doc/akmods/README.secureboot), removed Broadcom-WL, installed Broadcom-WL again - all started to work with Secure Boot.

mokutil --list-enrolled:

        Version: 3 (0x2)
        Serial Number: 2574709492 (0x9976f2f4)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Fedora Secure Boot CA
            Not Before: Dec  7 16:25:54 2012 GMT
            Not After : Dec  5 16:25:54 2022 GMT
        Subject: CN=Fedora Secure Boot CA

1 Like

It seems not to matter that the Fedora certificate has expired, as secure boot works anyway; at least for me.

To conclude - I think Fedora Secure Boot CA is unrelated with loading 3rd party kernel modules. Fedora 37 generated certificates on install, I just had to import them with mokutil --import /etc/pki/akmods/certs/public_key.der. How to do it is in /usr/share/doc/akmods/README.secureboot

Quote from README.secureboot

- Ask MOK to enroll new keypair with certificate with the command
  `mokutil --import /etc/pki/akmods/certs/public_key.der`.
- mokutil asks to generate a password to enroll the public key.
- Rebooting the system is needed for MOK to enroll the new public key.
- On next boot MOK Management is launched and you have to choose
  "Enroll MOK".
- Choose "Continue" to enroll the key or "View key 0" to show the keys
  already enrolled.
- Confirm enrollment by selecting "Yes".
- You will be invited to enter the password generated above.
  WARNING: keyboard is mapped to QWERTY!
- The new key is enrolled, and system ask you to reboot